UCF STIG Viewer Logo

AC-4 INFORMATION FLOW ENFORCEMENT


Overview

Number Title Impact Priority Subject Area
AC-4 Information Flow Enforcement MODERATE P1 Access Control

Instructions
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on Assignment: organization-defined information flow control policies.
Guidance
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products.

Enhancements
AC-4 (1) Object Security Attributes
Information flow enforcement mechanisms compare security attributes associated with information (data content and data structure) and source/destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. Security attributes can also include, for example, source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security attributes can be used, for example, to control the release of certain types of information.

The information system uses Assignment: organization-defined security attributes associated with Assignment: organization-defined information, source, and destination objects to enforce Assignment: organization-defined information flow control policies as a basis for flow control decisions.

AC-4 (2) Processing Domains
Within information systems, protected processing domains are processing spaces that have controlled interactions with other processing spaces, thus enabling control of information flows between these spaces and to/from data/information objects. A protected processing domain can be provided, for example, by implementing domain and type enforcement. In domain and type enforcement, information system processes are assigned to domains; information is identified by types; and information flows are controlled based on allowed information accesses (determined by domain and type), allowed signaling among domains, and allowed process transitions to other domains.

The information system uses protected processing domains to enforce Assignment: organization-defined information flow control policies as a basis for flow control decisions.

AC-4 (3) Dynamic Information Flow Control
Organizational policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changing conditions or mission/operational considerations. Changing conditions include, for example, changes in organizational risk tolerance due to changes in the immediacy of mission/business needs, changes in the threat environment, and detection of potentially harmful or adverse events.

The information system enforces dynamic information flow control based on Assignment: organization-defined policies.

AC-4 (4) Content Check Encrypted Information

The information system prevents encrypted information from bypassing content-checking mechanisms by Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; Assignment: organization-defined procedure or method.

AC-4 (5) Embedded Data Types
Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes, for example, inserting executable files as objects within word processing files, inserting references or descriptive information into a media file, and compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools.

The information system enforces Assignment: organization-defined limitations on embedding data types within other data types.

AC-4 (6) Metadata
Metadata is information used to describe the characteristics of data. Metadata can include structural metadata describing data structures (e.g., data format, syntax, and semantics) or descriptive metadata describing data contents (e.g., age, location, telephone number). Enforcing allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata with regard to data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., ensuring sufficiently strong binding techniques with appropriate levels of assurance).

The information system enforces information flow control based on Assignment: organization-defined metadata.

AC-4 (7) One-Way Flow Mechanisms

The information system enforces Assignment: organization-defined one-way flows using hardware mechanisms.

AC-4 (8) Security Policy Filters
Organization-defined security policy filters can address data structures and content. For example, security policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security policy filters for data content can check for specific words (e.g., dirty/clean word filters), enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data typically refers to digital information without a particular data structure or with a data structure that does not facilitate the development of rule sets to address the particular sensitivity of the information conveyed by the data or the associated flow enforcement decisions. Unstructured data consists of: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects that are based on written or printed languages (e.g., commercial off-the-shelf word processing documents, spreadsheets, or emails). Organizations can implement more than one security policy filter to meet information flow control objectives (e.g., employing clean word lists in conjunction with dirty word lists may help to reduce false positives).

The information system enforces information flow control using Assignment: organization-defined security policy filters as a basis for flow control decisions for Assignment: organization-defined information flows.

AC-4 (9) Human Reviews
Organizations define security policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of, or as a complement to, automated security policy filtering. Human reviews may also be employed as deemed necessary by organizations.

The information system enforces the use of human reviews for Assignment: organization-defined information flows under the following conditions: Assignment: organization-defined conditions.

AC-4 (10) Enable / Disable Security Policy Filters
For example, as allowed by the information system authorization, administrators can enable security policy filters to accommodate approved data types.

The information system provides the capability for privileged administrators to enable/disable Assignment: organization-defined security policy filters under the following conditions: Assignment: organization-defined conditions.

AC-4 (11) Configuration Of Security Policy Filters
For example, to reflect changes in security policies, administrators can change the list of �dirty words� that security policy mechanisms check in accordance with the definitions provided by organizations.

The information system provides the capability for privileged administrators to configure Assignment: organization-defined security policy filters to support different security policies.

AC-4 (12) Data Type Identifiers
Data type identifiers include, for example, filenames, file types, file signatures/tokens, and multiple internal file signatures/tokens. Information systems may allow transfer of data only if compliant with data type format specifications.

The information system, when transferring information between different security domains, uses Assignment: organization-defined data type identifiers to validate data essential for information flow decisions.

AC-4 (13) Decomposition Into Policy-Relevant Subcomponents
Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security domains. Parsing transfer files facilitates policy decisions on source, destination, certificates, classification, attachments, and other security-related component differentiators.

The information system, when transferring information between different security domains, decomposes information into Assignment: organization-defined policy-relevant subcomponents for submission to policy enforcement mechanisms.

AC-4 (14) Security Policy Filter Constraints
Data structure and content restrictions reduce the range of potential malicious and/or unsanctioned content in cross-domain transactions. Security policy filters that restrict data structures include, for example, restricting file sizes and field lengths. Data content policy filters include, for example: (i) encoding formats for character sets (e.g., Universal Character Set Transformation Formats, American Standard Code for Information Interchange); (ii) restricting character data fields to only contain alpha-numeric characters; (iii) prohibiting special characters; and (iv) validating schema structures.

The information system, when transferring information between different security domains, implements Assignment: organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content.

AC-4 (15) Detection Of Unsanctioned Information
Detection of unsanctioned information includes, for example, checking all information to be transferred for malicious code and dirty words.

The information system, when transferring information between different security domains, examines the information for the presence of Assignment: organized-defined unsanctioned information and prohibits the transfer of such information in accordance with the Assignment: organization-defined security policy.

AC-4 (16) Information Transfers On Interconnected Systems

Withdrawn: Incorporated into AC-4.

AC-4 (17) Domain Authentication
Attribution is a critical component of a security concept of operations. The ability to identify source and destination points for information flowing in information systems, allows the forensic reconstruction of events when required, and encourages policy compliance by attributing policy violations to specific organizations/individuals. Successful domain authentication requires that information system labels distinguish among systems, organizations, and individuals involved in preparing, sending, receiving, or disseminating information.

The information system uniquely identifies and authenticates source and destination points by Selection (one or more): organization, system, application, individual for information transfer.

AC-4 (18) Security Attribute Binding
Binding techniques implemented by information systems affect the strength of security attribute binding to information. Binding strength and the assurance associated with binding techniques play an important part in the trust organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations.

The information system binds security attributes to information using Assignment: organization-defined binding techniques to facilitate information flow policy enforcement.

AC-4 (19) Validation Of Metadata
This control enhancement requires the validation of metadata and the data to which the metadata applies. Some organizations distinguish between metadata and data payloads (i.e., only the data to which the metadata is bound). Other organizations do not make such distinctions, considering metadata and the data to which the metadata applies as part of the payload. All information (including metadata and the data to which the metadata applies) is subject to filtering and inspection.

The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads.

AC-4 (20) Approved Solutions
Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries. The Unified Cross Domain Management Office (UCDMO) provides a baseline listing of approved cross-domain solutions.

The organization employs Assignment: organization-defined solutions in approved configurations to control the flow of Assignment: organization-defined information across security domains.

AC-4 (21) Physical / Logical Separation Of Information Flows
Enforcing the separation of information flows by type can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include, for example, inbound and outbound communications traffic, service requests and responses, and information of differing security categories.

The information system separates information flows logically or physically using Assignment: organization-defined mechanisms and/or techniques to accomplish Assignment: organization-defined required separations by types of information.

AC-4 (22) Access Only
The information system, for example, provides a desktop for users to access each connected security domain without providing any mechanisms to allow transfer of information between the different security domains.

The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.