| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
AC-4(8) |
FedRAMP_High_R4_AC-4(8) |
FedRAMP High AC-4 (8) |
Access Control |
Security Policy Filters |
Shared |
n/a |
The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows].
Supplemental Guidance: Organization-defined security policy filters can address data structures and content. For example, security policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security policy filters for data content can check for specific words (e.g., dirty/clean word filters), enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data typically refers to digital information without a particular data structure or with a data structure that does not facilitate the development of rule sets to address the particular sensitivity of the information conveyed by the data or the associated flow enforcement decisions. Unstructured data consists of: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects that are based on written or printed languages (e.g., commercial off-the- shelf word processing documents, spreadsheets, or emails). Organizations can implement more than one security policy filter to meet information flow control objectives (e.g., employing clean word lists in conjunction with dirty word lists may help to reduce false positives). |
link |
1 |
| hipaa |
0811.01n2Organizational.6-01.n |
hipaa-0811.01n2Organizational.6-01.n |
0811.01n2Organizational.6-01.n |
08 Network Protection |
0811.01n2Organizational.6-01.n 01.04 Network Access Control |
Shared |
n/a |
Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. |
|
24 |
| hipaa |
0859.09m1Organizational.78-09.m |
hipaa-0859.09m1Organizational.78-09.m |
0859.09m1Organizational.78-09.m |
08 Network Protection |
0859.09m1Organizational.78-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. |
|
14 |
| hipaa |
0944.09y1Organizational.2-09.y |
hipaa-0944.09y1Organizational.2-09.y |
0944.09y1Organizational.2-09.y |
09 Transmission Protection |
0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
Security is maintained through all aspects of the transaction. |
|
8 |
| hipaa |
1131.01v2System.2-01.v |
hipaa-1131.01v2System.2-01.v |
1131.01v2System.2-01.v |
11 Access Control |
1131.01v2System.2-01.v 01.06 Application and Information Access Control |
Shared |
n/a |
Outputs from application systems handling covered information are limited to the minimum necessary and sent only to authorized terminals/locations. |
|
6 |
| hipaa |
1150.01c2System.10-01.c |
hipaa-1150.01c2System.10-01.c |
1150.01c2System.10-01.c |
11 Access Control |
1150.01c2System.10-01.c 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The access control system for the system components storing, processing or transmitting covered information is set with a default "deny-all" setting. |
|
7 |
| ISO27001-2013 |
A.13.1.3 |
ISO27001-2013_A.13.1.3 |
ISO 27001:2013 A.13.1.3 |
Communications Security |
Segregation of networks |
Shared |
n/a |
Groups of information services, users, and information systems shall be segregated on networks. |
link |
17 |
| ISO27001-2013 |
A.13.2.1 |
ISO27001-2013_A.13.2.1 |
ISO 27001:2013 A.13.2.1 |
Communications Security |
Information transfer policies and procedures |
Shared |
n/a |
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
link |
32 |
| ISO27001-2013 |
A.14.1.2 |
ISO27001-2013_A.14.1.2 |
ISO 27001:2013 A.14.1.2 |
System Acquisition, Development And Maintenance |
Securing application services on public networks |
Shared |
n/a |
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. |
link |
32 |
| ISO27001-2013 |
A.14.1.3 |
ISO27001-2013_A.14.1.3 |
ISO 27001:2013 A.14.1.3 |
System Acquisition, Development And Maintenance |
Protecting application services transactions |
Shared |
n/a |
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. |
link |
29 |
| NIST_SP_800-171_R2_3 |
.1.3 |
NIST_SP_800-171_R2_3.1.3 |
NIST SP 800-171 R2 3.1.3 |
Access Control |
Control the flow of CUI in accordance with approved authorizations. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. |
link |
58 |
| NIST_SP_800-53_R4 |
AC-4(8) |
NIST_SP_800-53_R4_AC-4(8) |
NIST SP 800-53 Rev. 4 AC-4 (8) |
Access Control |
Security Policy Filters |
Shared |
n/a |
The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows].
Supplemental Guidance: Organization-defined security policy filters can address data structures and content. For example, security policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security policy filters for data content can check for specific words (e.g., dirty/clean word filters), enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data typically refers to digital information without a particular data structure or with a data structure that does not facilitate the development of rule sets to address the particular sensitivity of the information conveyed by the data or the associated flow enforcement decisions. Unstructured data consists of: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects that are based on written or printed languages (e.g., commercial off-the- shelf word processing documents, spreadsheets, or emails). Organizations can implement more than one security policy filter to meet information flow control objectives (e.g., employing clean word lists in conjunction with dirty word lists may help to reduce false positives). |
link |
1 |
| NIST_SP_800-53_R5 |
AC-4(8) |
NIST_SP_800-53_R5_AC-4(8) |
NIST SP 800-53 Rev. 5 AC-4 (8) |
Access Control |
Security and Privacy Policy Filters |
Shared |
n/a |
(a) Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]; and
(b) [Selection (OneOrMore): Block;Strip;Modify;Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. |
link |
1 |
| SWIFT_CSCF_v2022 |
2.1 |
SWIFT_CSCF_v2022_2.1 |
SWIFT CSCF v2022 2.1 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. |
link |
36 |