NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(21)Physical or Logical Separation of Information Flows

Separate information flows logically or physically using {{ insert: param, ac-4.21_prm_1 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security impact or classification levels.

Practitioner Notes

Physically or logically separate the pathways that different types of information travel. Sensitive data should not share the same network pipe as general internet browsing.

Example 1: Use VLANs to segment your network so that CUI traffic travels on a dedicated VLAN (e.g., VLAN 100) separate from general corporate traffic (VLAN 10). Configure your switches with switchport access vlan 100 for CUI ports and apply ACLs that prevent cross-VLAN traffic except through the firewall.

Example 2: In AWS, deploy separate VPCs for CUI and non-CUI workloads. Use VPC peering only where absolutely necessary, and restrict the peering connection's route tables to allow only specific, documented traffic flows.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management