NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-46Cross Domain Policy Enforcement

Implement a policy enforcement mechanism {{ insert: param, sc-46_odp }} between the physical and/or network interfaces for the connecting security domains.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

For logical policy enforcement mechanisms, organizations avoid creating a logical path between interfaces to prevent the ability to bypass the policy enforcement mechanism. For physical policy enforcement mechanisms, the robustness of physical isolation afforded by the physical implementation of policy enforcement to preclude the presence of logical covert channels penetrating the security domain may be needed. Contact [ncdsmo@nsa.gov](mailto:ncdsmo@nsa.gov) for more information.

Practitioner Notes

Cross-domain policy enforcement applies when systems need to exchange data between different security domains — like between classified and unclassified networks.

Example 1: Deploy an NSA-approved cross-domain solution (CDS) that enforces content inspection policies on all data crossing between security domains. The CDS checks file types, scans for embedded objects, and verifies classification markings before allowing transfer.

Example 2: For unclassified cross-domain needs (like between CUI and public networks), use an application-layer gateway that inspects content type, strips metadata, and enforces data format restrictions. Only approved file types in approved formats can cross the boundary.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability