Title

The ALG that is part of a CDS must use source and destination security attributes associated with organization-defined information, source, and/or destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions. (Cat II impact)

Discussion

If information flow is not enforced based on approved authorizations, the system may become compromised. A mechanism to detect and prevent unauthorized communication flow must be configured and used to filter information flow across security boundaries protected by the ALG. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. Security attributes may be used to manage information flow control. Organization-defined information and organization-defined information flow control policies for CDS systems depend on the environment, data, and security boundaries. Organizations implementing CDS must follow the DoD-required process of testing, baselining, and risk assessment to ensure the rigor and accuracy necessary to rely upon a CDS for cross domain security. Information flow enforcement mechanisms compare security attributes associated with information (data content and data structure) and/or source/destination objects. The ALG uses the result of the attribute-object comparison to take an organization-defined action based on configured rules. Security attributes most often include source and destination addresses.

Check Content

If the ALG is not part of a CDS, this is not applicable. Verify the ALG uses source and destination security attributes associated with organization-defined information, source, and/or destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions. If the ALG is not configured to use source and destination security attributes associated with organization-defined information, source, and/or destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions, this is a finding.

Fix Text

If the ALG is part of a CDS, configure the ALG to use source and destination security attributes associated with organization-defined information, source, and/or destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions.

Additional Identifiers

Rule ID: SV-68709r1_rule

Vulnerability ID: V-54463

Group Title: SRG-NET-000323-ALG-000067

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.