This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization prevents the unauthorized exfiltration of information across managed interfaces.
NIST 800-53 (r4) Supplemental Guidance:
Safeguards implemented by organizations to prevent unauthorized exfiltration of information from information systems include, for example: (i) strict adherence to protocol formats; (ii) monitoring for beaconing from information systems; (iii) monitoring for steganography; (iv) disconnecting external network interfaces except when explicitly needed; (v) disassembling and reassembling packet headers; and (vi) employing traffic profile analysis to detect deviations from the volume/types of traffic expected within organizations or call backs to command and control centers. Devices enforcing strict adherence to protocol formats include, for example, deep packet inspection firewalls and XML gateways. These devices verify adherence to protocol formats and specification at the application layer and serve to identify vulnerabilities that cannot be detected by devices operating at the network or transport layers. This control enhancement is closely associated with cross-domain solutions and system guards enforcing information flow requirements. Related control: SI-3.
NIST 800-53 (r5) Discussion:
Prevention of exfiltration applies to both the intentional and unintentional exfiltration of information. Techniques used to prevent the exfiltration of information from systems may be implemented at internal endpoints, external boundaries, and across managed interfaces and include adherence to protocol formats, monitoring for beaconing activity from systems, disconnecting external network interfaces except when explicitly needed, employing traffic profile analysis to detect deviations from the volume and types of traffic expected, call backs to command and control centers, conducting penetration testing, monitoring for steganography, disassembling and reassembling packet headers, and using data loss and data leakage prevention tools. Devices that enforce strict adherence to protocol formats include deep packet inspection firewalls and Extensible Markup Language (XML) gateways. The devices verify adherence to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices that operate at the network or transport layers. The prevention of exfiltration is similar to data loss prevention or data leakage prevention and is closely associated with cross-domain solutions and system guards that enforce information flow requirements.
38North Guidance:
Meets Minimum Requirement:
Deploy deep packet inspection firewalls (application layer versus network/transport layers) at network perimeter ingress and egress points.
Best Practice:
Deploy deep packet inspection firewalls (application layer versus network/transport layers) at network perimeter ingress and egress points.
Deploy Data Loss Prevention (DLP) software on all system components (e.g., servers, databases, networking devices, etc.).
Deploy/enable a host-based firewall on all system components.
Integrate firewall and DLP solutions with an incident management platform (e.g., SIEM, automated notification system, etc.) for real-time alerting of unauthorized exfiltration events.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Evidence of deployed firewall and DLP solutions with configured rule sets.
Evidence of configured SIEM alerting rules relevant to unauthorized data exfiltration events.
Sample logs and/or alerts generated in response to an actual or simulated unauthorized exfiltration event (note: such logs and alerts may not exist for newly deployed systems, in which case, the assessor will have to rely on the configured rules sets as evidence).
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD