NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(26)Audit Filtering Actions

When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. Content filtering actions and the results of filtering actions are recorded for individual messages to ensure that the correct filter actions were applied. Content filter reports are used to assist in troubleshooting actions by, for example, determining why message content was modified and/or why it failed the filtering process. Audit events are defined in [AU-2](#au-2) . Audit records are generated in [AU-12](#au-12).

Practitioner Notes

Every time your content filters take an action — block, quarantine, modify, or allow — that action must be logged. You need a trail of what your filters are doing to both investigate incidents and tune your policies.

Example 1: In Microsoft Purview DLP, enable Activity Explorer logging to capture every DLP policy match, override, and false positive report. Review this weekly to tune your policies — high false positive rates mean the policy needs refinement.

Example 2: On your firewall, enable logging for all security policy actions (allow, deny, drop, reset). In Palo Alto, configure Log Forwarding Profiles to send these logs to your SIEM in real time. Create dashboards that show blocked transfer trends by source, destination, and data type.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management