STIGViewer Trial workspace — loading your subscription…

NIST 800-171 v2

110 security requirements available

3.1.3Derived Requirement

Access Control

Security Requirement

Control the flow of CUI in accordance with approved authorizations.

Discussion

Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.

Framework
NIST SP 800-171 Rev 2
Family
Access Control
Requirement Type
derived

Related Frameworks

7 paths across 2 frameworks
NIST 800-531 mapping
AC-4
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI6 mappings
CCI-001368
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001414
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001548
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001549
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001550
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001551
1.00
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
  • DISA · 2025-01-23 · disa_cci_list · equivalent

Related STIGs

91 STIGs reach this control through 80 CCIs via 800-53 control AC-4. Expand a row to see the responsible NICE and O*NET roles.

Operating System — Server

1 STIG

Operating System — Mainframe

2 STIGs
Mainframe Product Security Requirements Guide
V3R42025-09-101 of 194 findings match

Network Device

59 STIGs
Router Security Requirements Guide
V5R22025-09-1029 of 123 findings match
Show 51 more STIGs in this category →
Application Layer Gateway Security Requirements Guide
V2R32025-09-1512 of 160 findings match
Layer 2 Switch Security Requirements Guide
V3R42026-02-124 of 36 findings match
Firewall Security Requirements Guide
V3R32025-09-223 of 35 findings match
Cisco ASA NDM Security Technical Implementation Guide
V2R42025-12-081 of 47 findings match
Cisco ASA VPN Security Technical Implementation Guide
V2R22024-08-221 of 41 findings match
F5 NGINX Security Technical Implementation Guide
V1R12026-01-071 of 32 findings match
Network Device Management Security Requirements Guide
V5R42025-09-101 of 105 findings match
Network Device Management Security Requirements Guide
V5R32025-02-111 of 104 findings match
RUCKUS ICX NDM Security Technical Implementation Guide
V1R12025-05-281 of 25 findings match
SDN Controller Security Requirements Guide
22024-05-281 of 34 findings match

Web / Application Server

7 STIGs

Virtualization / Container

9 STIGs

Cloud / Identity Service

1 STIG

Endpoint Security Management

7 STIGs

Productivity Application

3 STIGs

Uncategorized

2 STIGs