NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(4)Flow Control of Encrypted Information

Prevent encrypted information from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms.

Practitioner Notes

This control addresses how you handle encrypted data moving across your network boundaries. You need to be able to inspect it or have policies about when encrypted traffic is allowed to pass without inspection.

Example 1: On your Palo Alto firewall, enable SSL Forward Proxy decryption for outbound traffic. Configure decryption profiles to inspect HTTPS traffic for data exfiltration while exempting specific categories (healthcare, banking) to avoid compliance issues with intercepting personal traffic.

Example 2: On your web application firewall (AWS WAF, Azure WAF), terminate TLS at the load balancer so that traffic can be inspected for malicious payloads before reaching backend servers. Re-encrypt traffic between the load balancer and the backend using internal certificates.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management