Requirement text: AC.2.016: Control the flow of CUI in accordance with approved authorizations.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Information flow control regulates where information can travel within a system and
between systems (versus who can access the information) and without explicit regard to
subsequent accesses to that information. Flow control restrictions include the following:
keeping export-controlled information from being transmitted in the clear to the Internet;
blocking outside traffic that claims to be from within the organization; restricting requests
to the Internet that are not from the internal web proxy server; and limiting information
transfers between organizations based on data structures and content.
Organizations commonly use information flow control policies and enforcement
mechanisms to control the flow of information between designated sources and destinations
(e.g., networks, individuals, and devices) within systems and between interconnected
systems. Flow control is based on characteristics of the information or the information path.
Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards,
encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that
restrict system services, provide a packet-filtering capability based on header information,
or message-filtering capability based on message content (e.g., implementing key word
searches or using document characteristics). Organizations also consider the
trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and
software components) that are critical to information flow enforcement.
Transferring information between systems representing different security domains with
different security policies introduces risk that such transfers violate one or more domain
security policies.
Organizations consider the shared nature of commercial telecommunications services in the
implementation of security requirements associated with the use of such services.
Commercial telecommunications services are commonly based on network components and
consolidated management systems shared by all attached commercial customers and may
also include third party-provided access lines and other service elements. Such transmission
services may represent sources of increased risk despite contract security provisions. NIST
SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides
guidance on security for virtualization technologies.
In such situations, information owners or stewards provide guidance at designated policy
enforcement points between interconnected systems. Organizations consider mandating
specific architectural solutions when required to enforce specific security policies.
Enforcement includes: prohibiting information transfers between interconnected systems
(i.e., allowing access only); employing hardware mechanisms to enforce one-way
information flows; and implementing trustworthy regrading mechanisms to reassign
security attributes and security labels.
CMMC CLARIFICATION
Flow control regulates where and how information can flow. Firewalls and proxy servers
can be used to control traffic flow. Typically, organizations will have a firewall between the
internal network and the internet. Often multiple firewalls are used inside a network to
create zones to separate sensitive data, business units or user groups. Proxy servers can be
used to break the connection between multiple networks. All traffic entering or leaving a
network is intercepted by the proxy, preventing direct access between networks. This can
have security and performance benefits. Additionally, organizations should ensure that all
sensitive information is encrypted before being transmitted over the internet.
Example
You configure a proxy device on your company’s network. Your goal is to better mask and
protect the devices inside your network. After you configure the device, information does
not flow directly from the internal network to the internet. The proxy system intercepts the
traffic. Then, the proxy analyzes it to determine if it is legitimate. If it is, the system allows
it on the network and sends it to its destination.
References
• NIST SP 800-171 Rev 1 3.1.3
• CIS Controls v7.1 12.1, 12.2, 12.5, 12.8, 13.3, 14.1, 14.6, 14.7
• NIST CSF v1.1 ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4
• CERT RMM v1.2 TM:SG4.SP1
• NIST SP 800-53 Rev 4 AC-4
• UK NCSC Cyber Essentials