CCI-000032

Enforce information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.

Implementation Guidance

Determine if: - information flow control is enforced using [AC-04(08)_ODP[01]; security policy filters to be used as a basis for enforcing information flow control are defined] as a basis for flow control decisions for [AC-04(08)_ODP[03]; information flows for which information flow control is enforced by security filters are defined]. - information flow control is enforced using [AC-04(08)_ODP[02]; privacy policy filters to be used as a basis for enforcing information flow control are defined] as a basis for flow control decisions for [AC-04(08)_ODP[04]; information flows for which information flow control is enforced by privacy filters are defined].

Validation Procedures

Examine: [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; list of security policy filters regulating flow control decisions; list of privacy policy filters regulating flow control decisions; system audit records; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developers]. Test: [SELECT FROM: Mechanisms implementing information flow enforcement policy; security and privacy policy filters].

The controls below (if any) were marked by NIST as being related to CCI-000032.