3.1 ACCESS CONTROL
Employ [Assignment: organization-defined secure information transfer solutions] to control information flows between security domains on connected systems.
Organizations employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs for example in boundary protection devices that employ rule sets or establish configuration settings that restrict system services provide a packet-filtering capability based on header information or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e. hardware firmware and software components) that are critical to information flow enforcement. Transferring information between systems in different security domains with different security policies introduces the risk that the transfers violate one or more domain security policies. In such situations information owners or information stewards provide guidance at designated policy enforcement points between connected systems. Organizations mandate specific architectural solutions when required to enforce logical or physical separation between systems in different security domains. Enforcement includes prohibiting information transfers between connected systems employing hardware mechanisms to enforce one-way information flows verifying write permissions before accepting information from another security domain or connected system and implementing trustworthy regrading mechanisms to reassign security attributes and labels. Secure information transfer solutions often include one or more of the following properties: use of cross-domain solutions when traversing security domains mutual authentication of the sender and recipient (using hardware-based cryptography) encryption of data in transit and at rest isolation from other domains and logging of information transfers (e.g. title of file file size cryptographic hash of file sender recipient transfer time and Internet Protocol [IP] address receipt time and IP address).
What is a Cybersecurity Compliance Framework?
You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.
With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.
The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:
- CMMC v2
- NERC CIP-002 through CIP-014 Revision 6
- NIST 800-171
- NIST 800-172
- PCI (Payment Card Industry Security Standard)
- SOC 2
- NIST 800-53
- NIST SP800-161 Supply Chain Risk Management
- CIS Framework Controls V8