NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(32)Process Requirements for Information Transfer

When transferring information between different security domains, the process that transfers information between filter pipelines: Does not filter message content; Validates filtering metadata; Ensures the content associated with the filtering metadata has successfully completed filtering; and Transfers the content to the destination filter pipeline.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

The processes transferring information between filter pipelines have minimum complexity and functionality to provide assurance that the processes operate correctly.

Practitioner Notes

This control ensures that information transfer processes enforce security requirements — things like validating that the sender is authorized, the destination is approved, and the data format is correct before the transfer proceeds.

Example 1: On your managed file transfer (MFT) platform (Axway, GoAnywhere), configure transfer profiles that validate the sender's identity, check file size limits, verify file type, and confirm the destination is on the approved recipient list before executing any transfer.

Example 2: For automated system-to-system data feeds, use API keys with scoped permissions and require mutual TLS authentication. The receiving system validates the sender's certificate, checks that the API key has the correct scope, and rejects any payload that does not match the expected schema.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management