|
controlAC-4
Information Flow Enforcement (AC-4)
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [organization-defined].
Security Baselines
MODERATEHIGHLOW
access-controlauthorizationleast-privilege
Why These Connect
Baselined In2
This control is included in the linked security baseline (LOW, MODERATE, or HIGH).
Supports42
These related controls work together — a change to one may affect the others.
Mitigates13
This control helps defend against or reduce the risk of the linked threat technique.
Enhances32
These enhancements add specific capabilities or refinements to the base control.
Related Controls(29)
AC-3Access Enforcement (AC-3)
LMH
AC-6Least Privilege (AC-6)MH
AC-16Security and Privacy Attributes (AC-16)AC-17Remote Access (AC-17)LMH
AC-19Access Control for Mobile Devices (AC-19)LMH
AC-21Information Sharing (AC-21)MH
AU-10Non-repudiation (AU-10)H
CA-3Information Exchange (CA-3)LMH
CA-9Internal System Connections (CA-9)LMH
CM-7Least Functionality (CM-7)LMH
PL-9Central Management (PL-9)PM-24Data Integrity Board (PM-24)SA-17Developer Security and Privacy Architecture and Design (SA-17)H
SC-4Information in Shared System Resources (SC-4)MH
SC-7Boundary Protection (SC-7)LMH
SC-16Transmission of Security and Privacy Attributes (SC-16)SC-31Covert Channel Analysis (SC-31)CM-12Information Location (CM-12)MH
IA-2Identification and Authentication (Organizational Users) (IA-2)LMH
PE-22Component Marking (PE-22)SC-28Protection of Information at Rest (SC-28)MH
SC-32System Partitioning (SC-32)SC-39Process Isolation (SC-39)LMH
SC-46Cross Domain Policy Enforcement (SC-46)SC-49Hardware-enforced Separation and Policy Enforcement (SC-49)SC-50Software-enforced Separation and Policy Enforcement (SC-50)SI-3Malicious Code Protection (SI-3)LMH
SI-4System Monitoring (SI-4)LMH
SI-7Software, Firmware, and Information Integrity (SI-7)MH
Threat Coverage(13 ATT&CK techniques)
T1566PhishingT1199Trusted RelationshipT1046Network Service DiscoveryT1018Remote System DiscoveryT1570Lateral Tool TransferT1071Application Layer ProtocolT1105Ingress Tool TransferT1041Exfiltration Over C2 ChannelT1567Exfiltration Over Web ServiceT1048Exfiltration Over Alternative ProtocolT1499Endpoint Denial of ServiceT1498Network Denial of ServiceT1595Active Scanning
Control Enhancements(32)
AC-4(1)Object Security and Privacy Attributes (AC-4(1))AC-4(2)Processing Domains (AC-4(2))AC-4(3)Dynamic Information Flow Control (AC-4(3))AC-4(4)Flow Control of Encrypted Information (AC-4(4))
H
AC-4(5)Embedded Data Types (AC-4(5))AC-4(6)Metadata (AC-4(6))AC-4(7)One-way Flow Mechanisms (AC-4(7))AC-4(8)Security and Privacy Policy Filters (AC-4(8))AC-4(9)Human Reviews (AC-4(9))AC-4(10)Enable and Disable Security or Privacy Policy Filters (AC-4(10))AC-4(11)Configuration of Security or Privacy Policy Filters (AC-4(11))AC-4(12)Data Type Identifiers (AC-4(12))AC-4(13)Decomposition into Policy-relevant Subcomponents (AC-4(13))AC-4(14)Security or Privacy Policy Filter Constraints (AC-4(14))AC-4(15)Detection of Unsanctioned Information (AC-4(15))AC-4(16)Information Transfers on Interconnected Systems (AC-4(16))WAC-4(17)Domain Authentication (AC-4(17))AC-4(18)Security Attribute Binding (AC-4(18))WAC-4(19)Validation of Metadata (AC-4(19))AC-4(20)Approved Solutions (AC-4(20))AC-4(21)Physical or Logical Separation of Information Flows (AC-4(21))AC-4(22)Access Only (AC-4(22))AC-4(23)Modify Non-releasable Information (AC-4(23))AC-4(24)Internal Normalized Format (AC-4(24))AC-4(25)Data Sanitization (AC-4(25))AC-4(26)Audit Filtering Actions (AC-4(26))AC-4(27)Redundant/Independent Filtering Mechanisms (AC-4(27))AC-4(28)Linear Filter Pipelines (AC-4(28))AC-4(29)Filter Orchestration Engines (AC-4(29))AC-4(30)Filter Mechanisms Using Multiple Processes (AC-4(30))AC-4(31)Failed Content Transfer Prevention (AC-4(31))AC-4(32)Process Requirements for Information Transfer (AC-4(32))