NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(13)Decomposition into Policy-relevant Subcomponents

When transferring information between different security domains, decompose information into {{ insert: param, ac-04.13_odp }} for submission to policy enforcement mechanisms.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Decomposing information into policy-relevant subcomponents prior to information transfer facilitates policy decisions on source, destination, certificates, classification, attachments, and other security- or privacy-related component differentiators. Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security domains.

Practitioner Notes

This control breaks data down into sub-components for policy evaluation. Rather than checking a file as a whole, the system inspects each part — headers, body, attachments, metadata — against separate policy rules.

Example 1: Configure your DLP solution to inspect email messages at the sub-component level: scan the subject line, body text, each attachment, and embedded images separately. A clean email body with a sensitive attachment should still trigger the policy.

Example 2: On your web application firewall, configure it to decompose HTTP requests into headers, URL parameters, cookies, and body content. Apply different inspection rules to each component — for example, stricter validation on URL parameters to prevent injection attacks while allowing more flexibility in body content.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management