Back to Control Explorer



Control Acronym



Access Control

CMMC Level


800-171 Control #


CMMC Description

Control information flows between security domains on connected systems.

CMMC Clarification

This practice is not concerned with classified security domains. It addresses information flow among domains containing CUI and those that do not. While access control is concerned with controlling access to information by users and processes, controlling information flow (information flow control) is concerned with where information is allowed to move within a system and between systems. In general, information flow control can apply to any needed flow restrictions. For this CMMC practice the flows of concern are primarily between CUI authorized and CUI not-authorized components/systems. Any attempt to move CUI to a domain that has not been designated as a domain allowed to store or process CUI must be blocked. Example 1 You are the IT administrator for your organization. You have designed the network in each of the regional offices to have two zones: one zone that can store and process CUI data and a second zone where CUI information is not permitted. A firewall separates the two zones in the office so staff cannot access files and resources within the office, and a site-to-site VPN over the corporate WAN allows the CUI zones to communicate. To ensure separation between CUI projects, staff are given file access permissions to project servers and file stores by project. To facilitate the transfer of CUI files and data between the same project team working in each regional office, you install a SharePoint server on the CUI zone of the headquarters office. Authorized staff have accounts and use their MFA token to log into the SharePoint server to view or modify projects files stored there.

800-171 Description

800-171 Discussion


Other Source Discussion

DRAFT NIST SP 800-171B (MODIFIED) Organizations employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services; provide a packet-filtering capability based on header information; or provide message-filtering capability based on message content. Transferring information between systems in different security domains with different security policies introduces risk that the transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between connected systems. Organizations mandate specific architectural solutions when required to enforce logical or physical separation between systems in different security domains. Enforcement includes prohibiting information transfers between connected systems; employing hardware mechanisms to enforce one-way information flows; and verifying write permissions before accepting information from another security domain or connected system.

CIS Control References

CIS Controls v7.1 12.1, 12.2, 13.1, 13.3, 14.1, 14.2, 14.5, 14.6, 14.7, 15.6, 15.10

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AC-4, AC-4(1), AC-4(6), AC-4(8), AC-4(12), AC-4(13), AC-4(15), AC-4(20)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, DE.AE-1

CERT RMM Reference

Modification of NIST 800-171B Reference

CMMC modification of Draft NIST SP 800-171B 3.1.3e

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15