Practice AC.L3-3.1.3e Details: Difference between revisions
Created page with "'''Source of Reference: The official [https://dodcio.defense.gov/cmmc/Resources-Documentation/ CMMC Level 3 Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == AC.L3-3.1.3E – SECURED INFORMATION TRANSFER == === SECURITY REQUIREMENT === Employ secure information transfer solutions to control information flows between s..." |
No edit summary |
||
| Line 6: | Line 6: | ||
=== SECURITY REQUIREMENT === | === SECURITY REQUIREMENT === | ||
Employ secure information transfer solutions to control information flows between security domains on connected systems. | Employ secure information transfer solutions to control information flows between security domains on connected systems. | ||
=== ASSESSMENT OBJECTIVES [NIST SP 800-172A] === | |||
Determine if: | |||
: [ODP1] Secure information transfer solutions are defined; | |||
: [a] Information flows between security domains on connected systems are identified; and | |||
: [b] Secure information transfer solutions are employed to control information flows between security domains on connected systems. | |||
=== POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A] === | |||
'''Examine''' | |||
[SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; security plan; system configuration settings and associated documentation; system audit records; system baseline configuration; list of information flow authorizations; other relevant documents or records]. | |||
'''Interview''' | |||
[SELECT FROM: System and network administrators; organizational personnel responsible for information security; system developers]. | |||
''' | '''Test''' | ||
[SELECT FROM: Mechanisms implementing information flow enforcement policy; mechanisms implementing secure information transfer solutions]. | |||
=== DISCUSSION [NIST SP 800-172] === | |||
Organizations employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. | |||
Transferring information between systems in different security domains with different security policies introduces the risk that the transfers violate one or more domain security policies. In such situations, information owners or information stewards provide guidance at designated policy enforcement points between connected systems. Organizations mandate specific architectural solutions when required to enforce logical or physical separation between systems in different security domains. Enforcement includes prohibiting information transfers between connected systems, employing hardware mechanisms to enforce one-way information flows, verifying write permissions before accepting information from another security domain or connected system, and implementing trustworthy regrading mechanisms to reassign security attributes and labels. | |||
Secure information transfer solutions often include one or more of the following properties: use of cross-domain solutions when traversing security domains, mutual authentication of the sender and recipient (using hardware-based cryptography), encryption of data in transit and at rest, isolation from other domains, and logging of information transfers (e.g., title of file, file size, cryptographic hash of file, sender, recipient, transfer time and Internet Protocol [IP] address, receipt time, and IP address). | |||
=== FURTHER DISCUSSION === | |||
The organization implementing this requirement must decide on the secure information transfer solutions they will use. The solutions must be configured to have strong protection mechanisms for information flow between security domains. Secure information transfer solutions control information flow between a Level 3 enclave and other CMMC or non-CMMC enclaves. If CUI requiring Level 3 protection resides in one area of the environment or within a given enclave outside of the normal working environment, protection to prevent unauthorized personnel from accessing, disseminating, and sharing the protected information is required. Physical and virtual methods can be employed to implement secure information transfer solutions. | |||
'''Example''' | |||
You are the administrator for an enterprise that stores and processes CUI requiring Level 3 protection. The files containing CUI information are tagged by the company as CUI. To ensure secure information transfer, you use an intermediary device to check the transfer of any CUI files. The device sits at the boundary of the CUI enclave, is aware of all other CUI domains in the enterprise, and has the ability to examine the metadata in the encrypted payload. The tool checks all outbound communications paths. It first checks the metadata for all data being transferred. If that data is identified as CUI, the device checks the destination to see if the transfer is to another, sufficiently certified CUI domain. If the destination is not a sufficient CUI domain, the tool blocks the communication path and does not allow the transfer to take place. If the destination is a sufficient CUI domain, the transfer is allowed. The intermediary device logs all blocks. | |||
''' | '''Potential Assessment Considerations ''' | ||
'''[ | * Has the organization defined the secure information transfer solutions it is using [b]? | ||
* Has the organization defined domains, boundaries, and flows between those domains that need to be controlled [a]? | |||
* Has the organization defined attributes to be associated with the CUI, and both source and destination objects [b]? | |||
* Has the organization defined metadata or some other tagging mechanism to be used as a means of enforcing CUI flow control [b]? | |||
* Has the organization defined filters to be used as a basis for enforcing flow control decisions [b]? | |||
* Has the organization identified CUI flows for which flow control decisions are to be applied and enforced [a,b]? | |||
'''KEY REFERENCES''' | |||
* NIST SP 800-172 3.1.3e | |||
'''KEY REFERENCES ''' | |||
Latest revision as of 02:13, 25 March 2025
Source of Reference: The official CMMC Level 3 Assessment Guide from the Department of Defense Chief Information Officer (DoD CIO).
For inquiries and reporting errors on this wiki, please contact us. Thank you.
AC.L3-3.1.3E – SECURED INFORMATION TRANSFER
SECURITY REQUIREMENT
Employ secure information transfer solutions to control information flows between security domains on connected systems.
ASSESSMENT OBJECTIVES [NIST SP 800-172A]
Determine if:
- [ODP1] Secure information transfer solutions are defined;
- [a] Information flows between security domains on connected systems are identified; and
- [b] Secure information transfer solutions are employed to control information flows between security domains on connected systems.
POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]
Examine
[SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; security plan; system configuration settings and associated documentation; system audit records; system baseline configuration; list of information flow authorizations; other relevant documents or records].
Interview
[SELECT FROM: System and network administrators; organizational personnel responsible for information security; system developers].
Test
[SELECT FROM: Mechanisms implementing information flow enforcement policy; mechanisms implementing secure information transfer solutions].
DISCUSSION [NIST SP 800-172]
Organizations employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement.
Transferring information between systems in different security domains with different security policies introduces the risk that the transfers violate one or more domain security policies. In such situations, information owners or information stewards provide guidance at designated policy enforcement points between connected systems. Organizations mandate specific architectural solutions when required to enforce logical or physical separation between systems in different security domains. Enforcement includes prohibiting information transfers between connected systems, employing hardware mechanisms to enforce one-way information flows, verifying write permissions before accepting information from another security domain or connected system, and implementing trustworthy regrading mechanisms to reassign security attributes and labels.
Secure information transfer solutions often include one or more of the following properties: use of cross-domain solutions when traversing security domains, mutual authentication of the sender and recipient (using hardware-based cryptography), encryption of data in transit and at rest, isolation from other domains, and logging of information transfers (e.g., title of file, file size, cryptographic hash of file, sender, recipient, transfer time and Internet Protocol [IP] address, receipt time, and IP address).
FURTHER DISCUSSION
The organization implementing this requirement must decide on the secure information transfer solutions they will use. The solutions must be configured to have strong protection mechanisms for information flow between security domains. Secure information transfer solutions control information flow between a Level 3 enclave and other CMMC or non-CMMC enclaves. If CUI requiring Level 3 protection resides in one area of the environment or within a given enclave outside of the normal working environment, protection to prevent unauthorized personnel from accessing, disseminating, and sharing the protected information is required. Physical and virtual methods can be employed to implement secure information transfer solutions.
Example
You are the administrator for an enterprise that stores and processes CUI requiring Level 3 protection. The files containing CUI information are tagged by the company as CUI. To ensure secure information transfer, you use an intermediary device to check the transfer of any CUI files. The device sits at the boundary of the CUI enclave, is aware of all other CUI domains in the enterprise, and has the ability to examine the metadata in the encrypted payload. The tool checks all outbound communications paths. It first checks the metadata for all data being transferred. If that data is identified as CUI, the device checks the destination to see if the transfer is to another, sufficiently certified CUI domain. If the destination is not a sufficient CUI domain, the tool blocks the communication path and does not allow the transfer to take place. If the destination is a sufficient CUI domain, the transfer is allowed. The intermediary device logs all blocks.
Potential Assessment Considerations
- Has the organization defined the secure information transfer solutions it is using [b]?
- Has the organization defined domains, boundaries, and flows between those domains that need to be controlled [a]?
- Has the organization defined attributes to be associated with the CUI, and both source and destination objects [b]?
- Has the organization defined metadata or some other tagging mechanism to be used as a means of enforcing CUI flow control [b]?
- Has the organization defined filters to be used as a basis for enforcing flow control decisions [b]?
- Has the organization identified CUI flows for which flow control decisions are to be applied and enforced [a,b]?
KEY REFERENCES
- NIST SP 800-172 3.1.3e