NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(12)Data Type Identifiers

When transferring information between different security domains, use {{ insert: param, ac-04.12_odp }} to validate data essential for information flow decisions.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Data type identifiers include filenames, file types, file signatures or tokens, and multiple internal file signatures or tokens. Systems only allow transfer of data that is compliant with data type format specifications. Identification and validation of data types is based on defined specifications associated with each allowed data format. The filename and number alone are not used for data type identification. Content is validated syntactically and semantically against its specification to ensure that it is the proper data type.

Practitioner Notes

Data type identifiers let the system recognize what kind of data is flowing — an executable, a PDF, a database export — and apply appropriate controls based on that type.

Example 1: On your email gateway, configure attachment filtering by file type using true type detection (not just extension). In Exchange Online, set up a mail flow rule under Admin Center → Mail Flow → Rules that blocks executable extensions (.exe, .bat, .ps1, .js) even if renamed to .txt.

Example 2: On your proxy (Zscaler, Palo Alto), enable file type inspection in the security policy. Configure it to block uploads of database files (.sql, .mdb), archive files (.7z, .rar), and disk images (.iso, .img) to cloud storage services not on your approved list.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management