NIST 800-171 - Information Flow Enforcement (3.1.3)

Overview:
Control the flow of CUI in accordance with approved authorizations.

Action Items:
3.1.3[a]
Determine if: information flow control policies are defined.

3.1.3[b]
Determine if: methods and enforcement mechanisms for controlling the flow of CUI are defined.

3.1.3[c]
Determine if: designated sources and destinations (e.g., networks, individuals, and devices) for CUI within systems and between interconnected systems are identified.

3.1.3[d]
Determine if: authorizations for controlling the flow of CUI are defined.

3.1.3[e]
Determine if: approved authorizations for controlling the flow of CUI are enforced.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; security plan; system design documentation; system configuration settings and associated documentation; list of information flow authorizations; system baseline configuration; system audit logs and records; other relevant documents or records].

2
Interview: System or network administrators; personnel with information security responsibilities; system developers].

3
Test: Mechanisms implementing information flow enforcement policy].

Related Documents (document name and content will vary by organization):
1) Access control policy
2) information flow control policies
3) procedures addressing information flow enforcement
4) security plan
5) system design documentation
6) system configuration settings and associated documentation
7) list of information flow authorizations
8) system baseline configuration
9) system audit logs and records
10) other relevant documents or record

Additional Guidance:
Information flow control regulates where information can travel within a system and between systems (as opposed to who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content.

Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.

Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement.