NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(31)Failed Content Transfer Prevention

When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Content that failed filtering checks can corrupt the system if transferred to the receiving domain.

Practitioner Notes

If content fails security inspection — the scan times out, the file is corrupted, or the filter cannot process it — the system must block it rather than allow it through. Fail closed, not fail open.

Example 1: In Defender for Office 365, set the Safe Attachments policy action to Block rather than Replace or Dynamic Delivery. If the sandbox cannot detonate an attachment (encrypted zip, corrupt file), it is blocked entirely.

Example 2: On your proxy, configure the ICAP integration to fail closed. If the ICAP scanning service is unreachable or times out, the proxy should block the request rather than allowing it unscanned. Test this periodically by stopping the ICAP service and verifying traffic is blocked.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management