CMMC Practice AC.2.016

Control the flow of CUI in accordance with approved authorizations.


CMMC Version 1.02, pg. 65

Bold Coast Security Guidance

This can be fairly straightforward, or very complex! At the simplest of levels, in a small network, this means putting up a firewall which restricts traffic into and out of your network. and you want to intercept traffic leaving your network to hide the hosts behind the firewall. This is often done with proxy servers, or using Network address translation (NAT) to hide information about the hosts in your network. Please note Practice SC.1.175 also addresses firewalls, proxies, and management of these services. In a more complex network, you should consider additional firewalls, or access control lists on switches or virtual switches, to further restrict access within the network. These controls can keep network traffic isolated to those hosts which require access to CUI or other restricted data sources. For instance, parts of your network where CUI is stored may be separated from the rest of the network with a firewall or switch with advanced access control lists. Newer firewalls can further restrict access to the application layer allowing administrators to control access to certain applications, and to certain users. To measure the effectiveness of your implementation, monitor your firewalls and switches for irregular activity, and regularly review your rule-sets.

Discussion From Source

DRAFT NIST SP 800-171 R2 Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information . Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet- filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing keyword searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. NIST SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides guidance on security for virtualization technologies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems . Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regarding mechanisms to reassign security attributes and security labels.