An error occurred:

CCI-002190

CCI-002190 Definition

Use organization-defined security attributes associated with organization-defined information, source, and destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions.
Status
Type CheckType.technical

Master Assessment Datasheet

Implementation Guidance

Determine if: - [AC-04(01)_ODP[01]; security attributes to be associated with information, source, and destination objects are defined] associated with [AC-04(01)_ODP[03]; information objects to be associated with information security attributes are defined], [AC-04(01)_ODP[05]; source objects to be associated with information security attributes are defined], and [AC-04(01)_ODP[07]; destination objects to be associated with information security attributes are defined] are used to enforce [AC-04(01)_ODP[09]; information flow control policies as a basis for enforcement of flow control decisions are defined] as a basis for flow control decisions. - [AC-04(01)_ODP[02]; privacy attributes to be associated with information, source, and destination objects are defined] associated with [AC-04(01)_ODP[04]; information objects to be associated with privacy attributes are defined], [AC-04(01)_ODP[06]; source objects to be associated with privacy attributes are defined], and [AC-04(01)_ODP[08]; destination objects to be associated with privacy attributes are defined] are used to enforce [AC-04(01)_ODP[09]; information flow control policies as a basis for enforcement of flow control decisions are defined] as a basis for flow control decisions.

Validation Procedures

Examine: [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; list of security and privacy attributes and associated source and destination objects; system audit records; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with privacy responsibilities; system developers]. Test: [SELECT FROM: Mechanisms implementing information flow enforcement policy].