NIST 800-53 REV 5 • ACCESS CONTROL
AC-4(8) — Security and Privacy Policy Filters
Enforce information flow control using {{ insert: param, ac-4.8_prm_1 }} as a basis for flow control decisions for {{ insert: param, ac-4.8_prm_2 }} ; and {{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-4.8_prm_4 }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Organization-defined security or privacy policy filters can address data structures and content. For example, security or privacy policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security or privacy policy filters for data content can check for specific words, enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data refers to digital information without a data structure or with a data structure that does not facilitate the development of rule sets to address the impact or classification level of the information conveyed by the data or the flow enforcement decisions. Unstructured data consists of bitmap objects that are inherently non-language-based (i.e., image, video, or audio files) and textual objects that are based on written or printed languages. Organizations can implement more than one security or privacy policy filter to meet information flow control objectives.
Practitioner Notes
Security and privacy policy filters examine data as it crosses boundaries and enforce rules — blocking, modifying, or flagging content that violates policy. Think of them as content inspection checkpoints.
Example 1: In Microsoft Purview DLP, create policies with custom sensitive information types that detect CUI markings, ITAR-controlled data patterns, and export-controlled technical specifications. Configure the policy to block transmission and notify the sender's manager.
Example 2: On your email gateway (Proofpoint, Mimecast), configure content filtering rules that scan outbound emails for keywords like FOUO, CUI, CONTROLLED, and attachment types like CAD files (.stp, .iges). Block matching emails and route them to the security team for review.