AC-4(19)

Requirement

When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata.

Discussion

All information (including metadata and the data to which the metadata applies) is subject to filtering and inspection. Some organizations distinguish between metadata and data payloads (i.e., only the data to which the metadata is bound). Other organizations do not make such distinctions and consider metadata and the data to which the metadata applies to be part of the payload.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: Information flow enforcement policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; list of security policy filtering criteria applied to metadata and data payloads; system audit records; system security plan; privacy plan; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; organizational personnel with privacy responsibilities; system developers].

Test

[SELECT FROM: Mechanisms implementing information flow enforcement functions; security and policy filters].

ID	Assessment Objectives
AC-04(19)[02]	when transferring information between different security domains, <AC-04(19)_ODP[02] privacy policy filters> are implemented on metadata.
AC-04(19)[01]	when transferring information between different security domains, <AC-04(19)_ODP[01] security policy filters> are implemented on metadata;

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!