Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows].
NIST 800-53 (r4) Supplemental Guidance:
Organization-defined security policy filters can address data structures and content. For example, security policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security policy filters for data content can check for specific words (e.g., dirty/clean word filters), enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data typically refers to digital information without a particular data structure or with a data structure that does not facilitate the development of rule sets to address the particular sensitivity of the information conveyed by the data or the associated flow enforcement decisions. Unstructured data consists of: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects that are based on written or printed languages (e.g., commercial off-the- shelf word processing documents, spreadsheets, or emails). Organizations can implement more than one security policy filter to meet information flow control objectives (e.g., employing clean word lists in conjunction with dirty word lists may help to reduce false positives).
NIST 800-53 (r5) Discussion:
Organization-defined security or privacy policy filters can address data structures and content. For example, security or privacy policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security or privacy policy filters for data content can check for specific words, enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data refers to digital information without a data structure or with a data structure that does not facilitate the development of rule sets to address the impact or classification level of the information conveyed by the data or the flow enforcement decisions. Unstructured data consists of bitmap objects that are inherently non-language-based (i.e., image, video, or audio files) and textual objects that are based on written or printed languages. Organizations can implement more than one security or privacy policy filter to meet information flow control objectives.
38North Guidance:
Meets Minimum Requirement:
Enforce information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.
Best Practice:
Implement policies on firewalls to filter for specific terms, match conditions, or actions. Examples would include blocking certain adversary countries such as Russia or China from accessing the environment or keywords that are filtered on such as porn, drugs, or alcohol etc.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screenshots of of edge router ACL's or exports of the inbound & outbound rules for all internal/external boundary protection devices. Verify that explicit Deny-All, Permit-by-exception rules are in place & no any-any rules are at the top of each rule set.
Evidence of specific non-allow data lists, such as non-allowed word lists, non-allowed image formats lists, etc.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse