CCI-000032

The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.

Implementation Guidance

The organization being inspected/assessed configures the information system to enforce information flow control using security policy filters defined in AC-4 (8), CCI 1417 as a basis for flow control decisions for all information flows. For information system components that have applicable STIGs or SRGs, the organization being inspected/assessed must comply with the STIG/SRG guidance that pertains to CCI 32. DoD has defined the information flows as all information flows.

Validation Procedures

The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to enforce information flow control using security policy filters defined in AC-4 (8), CCI 1417 as a basis for flow control decisions for all information flows. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 32. DoD has defined the information flows as all information flows.

Compelling Evidence

1.) Signed and dated documentation which shows the system is setup as defined in the documentation for CCI 1417. 2.) Applicable STIG/SRG checks.

The controls below (if any) were marked by NIST as being related to CCI-000032.