Navigate

AC-4(3)

AC-4(3): Dynamic Information Flow Control

The information system enforces dynamic information flow control based on [organization-defined policies].

Supplemental

Organizational policies regarding dynamic information flow control include, for example, allowing or disallowing information flows based on changing conditions or mission/operational considerations. Changing conditions include, for example, changes in organizational risk tolerance due to changes in the immediacy of mission/business needs, changes in the threat environment, and detection of potentially harmful or adverse events.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to AC-4(3).

Control	Description
SI-4	The organization: a: Monitors the information system to detect: 1: Attacks and indicators of potential attacks in accordance with [organization-defined monitoring objectives]; and 2: Unauthorized local, network, and remote connections; b: Identifies unauthorized use of the information system through [organization-defined techniques and methods]; c: Deploys monitoring devices: 1: Strategically within the information system to collect organization-determined essential information; and 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization; d: Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g: Provides [organization-defined information system monitoring information] to [organization-defined personnel or roles] [one or more of as needed/ {{ insert: param, si-4_prm_6 }} ].

Control

Description

SI-4

The organization:

a: Monitors the information system to detect:
- 1: Attacks and indicators of potential attacks in accordance with [organization-defined monitoring objectives]; and
- 2: Unauthorized local, network, and remote connections;

b: Identifies unauthorized use of the information system through [organization-defined techniques and methods];

c: Deploys monitoring devices:
- 1: Strategically within the information system to collect organization-determined essential information; and
- 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization;

d: Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

e: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

f: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and

g: Provides [organization-defined information system monitoring information] to [organization-defined personnel or roles] [one or more of as needed/ {{ insert: param, si-4_prm_6 }} ].

Enhancements

The controls below (if any) add on to the requirements of AC-4(3).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AC-4(3).

CCI	Definition
CCI-000027	Enforce organization-defined information flow control policies.
CCI-002192	Defines the policies to enforce dynamic information flow control.