NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(7)One-way Flow Mechanisms

Enforce one-way information flows through hardware-based flow control mechanisms.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

One-way flow mechanisms may also be referred to as a unidirectional network, unidirectional security gateway, or data diode. One-way flow mechanisms can be used to prevent data from being exported from a higher impact or classified domain or system while permitting data from a lower impact or unclassified domain or system to be imported.

Practitioner Notes

One-way flow mechanisms — like data diodes — ensure data can only move in one direction. Data can flow from a low-security network to high, but never the other way around.

Example 1: Deploy an Owl Cyber Defense data diode between your classified and unclassified networks. The hardware physically prevents any electrical signal from traveling in the reverse direction. Configure it for one-way syslog transfer so you can monitor classified systems from your unclassified SIEM.

Example 2: For less extreme scenarios, configure your firewall with rules that allow only outbound connections from the protected network and block all inbound initiated connections. Pair this with a DLP solution monitoring the allowed outbound channel to catch any data leaks.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management