Control: The information system enforces approved authorisations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organisation-defined information flow control policies].
Information Flow Enforcement Control Enhancements:
AC-4 (1) Information flow enforcement - Object security attributes
The information system uses [Assignment: organisation-defined security attributes] associated with [Assignment: organisation-defined information, source, and destination objects] to enforce [Assignment: organisation-defined information flow control policies] as a basis for flow control decisions.
AC-4 (2) Information flow enforcement - Processing domains
The information system uses protected processing domains to enforce [Assignment: organisation- defined information flow control policies] as a basis for flow control decisions.
AC-4 (3) Information flow enforcement - Dynamic Information flow control
The information system enforces dynamic information flow control based on [Assignment: organisation-defined policies].
AC-4 (4) Information flow enforcement - Content check encrypted information
The information system prevents encrypted information from bypassing content-checking mechanisms by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organisation-defined procedure or method]].
AC-4 (5) Information flow enforcement - Embedded data types
The information system enforces [Assignment: organisation-defined limitations] on embedding data types within other data types.
AC-4 (6) Information flow enforcement - Metadata
The information system enforces information flow control based on [Assignment: organisation- defined metadata].
AC-4 (7) Information flow enforcement - One way flow mechanisms
The information system enforces [Assignment: organisation-defined one-way information flows] using hardware mechanisms.
AC-4 (8) Information flow enforcement - Security policy filters
The information system enforces information flow control using [Assignment: organisation-defined security policy filters] as a basis for flow control decisions for [Assignment: organisation-defined information flows].
AC-4 (9) Information flow enforcement - Human reviews
The information system enforces the use of human reviews for [Assignment: organisation-defined information flows] under the following conditions: [Assignment: organisation-defined conditions].
AC-4 (10) Information flow enforcement - Enable / Disable security policy filters
The information system provides the capability for privileged administrators to enable/disable [Assignment: organisation-defined security policy filters] under the following conditions: [Assignment: organisation-defined conditions].
AC-4 (11) Information flow enforcement - Configuration of security policy filters
The information system provides the capability for privileged administrators to configure [Assignment: organisation-defined security policy filters] to support different security policies.
AC-4 (12) Information flow enforcement - Data type Indentifiers
The information system, when transferring information between different security domains, uses [Assignment: organisation-defined data type identifiers] to validate data essential for information flow decisions.
AC-4 (13) Information flow enforcement - Decomposition into policy relevant subcomponents
The information system, when transferring information between different security domains, decomposes information into [Assignment: organisation-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms.
AC-4 (14) Information flow enforcement - Security policy filter constraints
The information system, when transferring information between different security domains, implements [Assignment: organisation-defined security policy filters] requiring fully enumerated formats that restrict data structure and content.
AC-4 (15) Information flow enforcement - Detection of unsanctioned information
The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organised-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organisation-defined security policy].
AC-4 (16) Information flow enforcement - Information transfers on interconnected systems
[Withdrawn: Incorporated into AC-4].
AC-4 (17) Information flow enforcement - Domain authentication
The information system uniquely identifies and authenticates source and destination points by [Selection (one or more): organisation, system, application, individual] for information transfer.
AC-4 (18) Information flow enforcement - Security attribute binding
The information system binds security attributes to information using [Assignment: organisation- defined binding techniques] to facilitate information flow policy enforcement.
AC-4 (19) Information flow enforcement - Validation of metadata
The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads.
AC-4 (20) Information flow enforcement - Approved Solutions
The organisation employs [Assignment: organisation-defined solutions in approved configurations] to control the flow of [Assignment: organisation-defined information] across security domains.
AC-4 (21) Information flow enforcement - Physical / Logical separation of information flows
The information system separates information flows logically or physically using [Assignment: organisation-defined mechanisms and/or techniques] to accomplish [Assignment: organisation- defined required separations by types of information].
AC-4 (22) Information flow enforcement - Access Only
The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.