Navigate

AC-4(4)

AC-4(4): Flow Control of Encrypted Information

Prevent encrypted information from bypassing [information flow control mechanisms that encrypted information is prevented from bypassing are defined;] by [one or more of "decrypting the information"/"blocking the flow of the encrypted information"/"terminating communications sessions attempting to pass encrypted information"/"{{ insert: param, ac-04.04_odp.03 }} "].

Supplemental

Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms.

CIA Levels
Confidentiality	high
Integrity	high
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to AC-4(4).

Control	Description
SI-4	a: Monitor the system to detect: 1: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;] ; and 2: Unauthorized local, network, and remote connections; b: Identify unauthorized use of the system through the following techniques and methods: [techniques and methods used to identify unauthorized use of the system are defined;]; c: Invoke internal monitoring capabilities or deploy monitoring devices: 1: Strategically within the system to collect organization-determined essential information; and 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization; d: Analyze detected events and anomalies; e: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f: Obtain legal opinion regarding system monitoring activities; and g: Provide [system monitoring information to be provided to personnel or roles is defined;] to [personnel or roles to whom system monitoring information is to be provided is/are defined;] [one or more of "as needed"/"{{ insert: param, si-04_odp.06 }} "].

Control

Description

SI-4

a: Monitor the system to detect:
- 1: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;] ; and
- 2: Unauthorized local, network, and remote connections;

b: Identify unauthorized use of the system through the following techniques and methods: [techniques and methods used to identify unauthorized use of the system are defined;];

c: Invoke internal monitoring capabilities or deploy monitoring devices:
- 1: Strategically within the system to collect organization-determined essential information; and
- 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization;

d: Analyze detected events and anomalies;

e: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

f: Obtain legal opinion regarding system monitoring activities; and

g: Provide [system monitoring information to be provided to personnel or roles is defined;] to [personnel or roles to whom system monitoring information is to be provided is/are defined;] [one or more of "as needed"/"{{ insert: param, si-04_odp.06 }} "].

Enhancements

The controls below (if any) add on to the requirements of AC-4(4).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AC-4(4).

CCI	Definition
CCI-000028	Prevent encrypted information from bypassing organization-defined flow control mechanisms by employing organization-defined procedures or methods.
CCI-002193	Defines procedures or methods to be employed to prevent encrypted information from bypassing flow control mechanisms, such as decrypting the information, blocking the flow of the encrypted information, and/or terminating communications sessions attempting to pass encrypted information.
CCI-003662	Defines the information flow control mechanisms to prevent the bypassing of encrypted information.