DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B (MODIFIED)
Organizations employ information flow control policies and enforcement mechanisms to
control the flow of information between designated sources and destinations within systems
and between connected systems. Flow control is based on the characteristics of the
information and/or the information path. Enforcement occurs, for example, in boundary
protection devices that employ rule sets or establish configuration settings that restrict
system services; provide a packet-filtering capability based on header information; or
provide message-filtering capability based on message content.
Transferring information between systems in different security domains with different
security policies introduces risk that the transfers violate one or more domain security
policies. In such situations, information owners or stewards provide guidance at designated
policy enforcement points between connected systems. Organizations mandate specific
architectural solutions when required to enforce logical or physical separation between
systems in different security domains. Enforcement includes prohibiting information
transfers between connected systems; employing hardware mechanisms to enforce one-way
information flows; and verifying write permissions before accepting information from
another security domain or connected system.
CMMC CLARIFICATION
This practice is not concerned with classified security domains. It addresses information
flow among domains containing CUI and those that do not. While access control is concerned
with controlling access to information by users and processes, controlling information flow
(information flow control) is concerned with where information is allowed to move within a
system and between systems. In general, information flow control can apply to any needed
flow restrictions. For this CMMC practice the flows of concern are primarily between CUI
authorized and CUI not-authorized components/systems. Any attempt to move CUI to a
domain that has not been designated as a domain allowed to store or process CUI must be
blocked.
Example
You are the IT administrator for your organization. You have designed the network in each
of the regional offices to have two zones: one zone that can store and process CUI data and a
second zone where CUI information is not permitted. A firewall separates the two zones in
the office so staff cannot access files and resources within the office, and a site-to-site VPN
over the corporate WAN allows the CUI zones to communicate. To ensure separation
between CUI projects, staff are given file access permissions to project servers and file stores
by project. To facilitate the transfer of CUI files and data between the same project team
working in each regional office, you install a SharePoint server on the CUI zone of the
headquarters office. Authorized staff have accounts and use their MFA token to log into the
SharePoint server to view or modify projects files stored there.
References
• CMMC modification of Draft NIST SP 800-171B 3.1.3e
• CIS Controls v7.1 12.1, 12.2, 13.1, 13.3, 14.1, 14.2, 14.5, 14.6, 14.7, 15.6, 15.10
• NIST CSF v1.1 ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, DE.AE-1
• NIST SP 800-53 Rev 4 AC-4, AC-4(1), AC-4(6), AC-4(8), AC-4(12), AC-4(13), AC-4(15), AC-
4(20), SC-46