>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

AC-4 (04)Information Flow Enforcement | Flow Control of Encrypted Information

High

>Control Description

Prevent encrypted information from bypassing organization-defined information flow control mechanisms by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; organization-defined procedure or method].

>FedRAMP Baseline Requirements

Additional Requirements and Guidance

AC-4 (4) Requirement: The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf). Implementation of this control by service providers should specifically support the methods used by agency customers to provide visibility into their encrypted communications between agency networks and the cloud service boundary so that the confidentiality, integrity, or availability of federal customer within the boundary of the cloud service is not negatively impacted. This additional requirement should be automatically updated if M-21-31 or M-22-09 is rescinded, updated, or replaced.

>Discussion

Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AC-4(4) (Flow Control Of Encrypted Information)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AC-4(4)?
  • How frequently is the AC-4(4) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AC-4(4)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AC-4(4) requirements.
  • What automated tools, systems, or technologies are deployed to implement AC-4(4)?
  • How is AC-4(4) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AC-4(4) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AC-4(4)?
  • What audit logs, records, reports, or monitoring data validate AC-4(4) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AC-4(4) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AC-4(4) compliance?

Ask AI

Configure your API key to use AI features.