Skip to content

The ALG that is part of a CDS must enforce dynamic traffic flow control based on organization-defined policies.

An XCCDF Rule

Description

<VulnDiscussion>Information flow policies regarding dynamic information flow control include allowing or disallowing information flows based on changing conditions or mission/operational considerations. Changing conditions include changes in organizational risk tolerance due to changes in the immediacy of mission/business needs, changes in the threat environment, and detection of potentially harmful or adverse events. Organization-defined policies for CDS systems depend on the environment, data, and security boundaries. Organizations implementing CDS must follow the DoD-required process of testing, baselining, and risk assessment to ensure the rigor and accuracy necessary to rely upon a CDS for cross domain security. Enforcement occurs in boundary protection devices that employ rule sets or establish configuration settings that restrict information system services, provide a packet filtering capability based on header information, or provide a message filtering capability based on message content (e.g., implementing key word searches or using document characteristics). This requirement is primarily used by organizations with cross domain solution needs. These solutions require advanced filtering techniques and flow enforcement mechanisms, such as high-assurance guards. Dynamic traffic flow control mechanisms are generally not available in commercial off-the-shelf information technology products.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-204916r987726_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

If the ALG is part of a CDS, configure the ALG to enforce dynamic flow control based on organization-defined policies.