Level 2


Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content.  Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement.  Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.  

Priority: High 


Services Associated with AWS: 

  • Amazon Virtual Private Cloud (VPC), AWS Network Firewall
  • Amazon VPC, AWS Network Firewall
  • AWS Transfer Family
  • AWS Network Firewall, AWS Direct Connect, AWS Transit Gateway
  • Amazon Inspector, AWS Trusted Advisor
  • AWS Identity and Access Management (IAM), AWS Organizations

Services Associated with Azure:

  • Azure Virtual Network (VNet)
  • Azure Firewall
  • Azure Web Application Firewall (WAF)
  • Azure ExpressRoute
  • Azure Application Gateway
  • Azure Traffic Manager
  • Azure Front Door
  • Azure API Management
  • Azure Logic Apps
  • Azure Functions
  • Azure Content Delivery Network (CDN)
  • Azure Storage Firewalls and Virtual Networks
  • Azure Network Security Groups (NSGs)
  • Azure Information Protection
  • Azure Data Loss Prevention (DLP)
  • Azure Security Center
  • Azure Monitor
  • Azure Sentinel
  • Azure Policy

Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative:  documented Data Flow Diagram (DFD)
  • Technical: screen shot of Data Loss Prevention (DLP) settings
  • Technical: screen shot of content filter settings

Possible Technology Considerations:

  • Data Loss Prevention (DLP)
  • Content / DNS Filtering Solution

What needs to be answered:

Do people know when they're handling CUI? Does the firewall restrict traffic? 

Checks for AWS

  • Ensure Proper Configuration of Network Traffic Flow
    Description: This check verifies that network traffic flow is regulated in accordance with approved authorizations, ensuring that CUI is not transmitted in clear to the Internet and external traffic claiming to be from within the organization is blocked.
  • Verify Proper Use of Internal Web Proxy Server
    Description: This check ensures that all requests to the Internet are routed through the internal web proxy server, thereby controlling the flow of information.
  • Validate Information Transfer Limitations
    Description: This check confirms that information transfers between organizations are restricted based on data structures and content, ensuring only approved CUI is shared.
  • Confirm Configuration of Boundary Protection Devices
    Description: This check ensures that boundary protection devices such as gateways, routers, firewalls, and encrypted tunnels are correctly configured to restrict system services and provide packet-filtering based on header information or message content.
  • Validate Trustworthiness of Information Flow Enforcement Mechanisms
    Description: This check confirms that filtering and inspection mechanisms critical to information flow enforcement are trustworthy, thereby mitigating the risks associated with information transfers between systems of different security domains.
  • Verify Compliance with Security Policies during Information Transfers
    Description: This check ensures that architectural solutions mandated to enforce specific security policies are in place when transferring information between interconnected systems representing different security domains.

Checks for Azure

  • Ensure Proper Configuration of Network Traffic Flow
    Description: This policy check verifies that network traffic flow is properly regulated in accordance with approved authorizations. It ensures that Azure Virtual Network (VNet) settings and other relevant network configurations are appropriately configured to control the flow of information and prevent unauthorized access.
  • Validate Use of Azure Firewall and Web Application Firewall (WAF)
    Description: This policy check confirms that Azure Firewall and Azure Web Application Firewall (WAF) are properly deployed and configured to enforce network security policies. It verifies that these security services are actively monitoring and filtering network traffic to protect against unauthorized access and potential threats.
  • Verify Proper Configuration of Azure ExpressRoute
    Description: This policy check ensures that Azure ExpressRoute, a dedicated private connection between on-premises infrastructure and Azure, is configured correctly. It validates that the traffic flowing through ExpressRoute is regulated and secured to prevent unauthorized access and data breaches.
  • Confirm Configuration of Azure Application Gateway and Traffic Manager
    Description: This policy check validates that Azure Application Gateway and Azure Traffic Manager are properly configured to control traffic routing and load balancing within Azure services. It ensures that these components are aligned with the organization's information flow control policies.
  • Validate Implementation of Azure Information Protection and Data Loss Prevention (DLP)
    Description: This policy check verifies that Azure Information Protection and Data Loss Prevention (DLP) mechanisms are in place to prevent the unauthorized disclosure of sensitive information. It ensures that policies and configurations are properly set to identify and protect sensitive data within Azure services.
  • Ensure Compliance with Azure Security Center and Azure Sentinel
    Description: This policy check confirms that Azure Security Center and Azure Sentinel are implemented and actively monitoring information flow within Azure. It verifies that security policies, threat detection, and incident response measures are in place to maintain the security of data and mitigate potential risks.
  • Implement Azure Policy for Information Flow Control
    Description: This policy check ensures that Azure Policy is used to enforce information flow control policies within Azure. It verifies that policies are defined and configured to restrict and regulate the flow of information based on data structures, content, and other specified criteria.

More Details: CUI is not transferred among employees and is contained to the customers who have uploaded the information. Client information not accessible by anyone else, including administrators.