CCI-001414

Enforce approved authorizations for controlling the flow of information between connected systems based on organization-defined information flow control policies.

Implementation Guidance

Determine if approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on [AC-04_ODP; information flow control policies within the system and between connected systems are defined].

Validation Procedures

Examine: [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; security architecture documentation; privacy architecture documentation; system design documentation; system configuration settings and associated documentation; system baseline configuration; list of information flow authorizations; system audit records; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security and privacy architecture development responsibilities; organizational personnel with information security and privacy responsibilities; system developers]. Test: [SELECT FROM: Mechanisms implementing information flow enforcement policy].

The controls below (if any) were marked by NIST as being related to CCI-001414.