NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(14)Security or Privacy Policy Filter Constraints

When transferring information between different security domains, implement {{ insert: param, ac-4.14_prm_1 }} requiring fully enumerated formats that restrict data structure and content.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Data structure and content restrictions reduce the range of potential malicious or unsanctioned content in cross-domain transactions. Security or privacy policy filters that restrict data structures include restricting file sizes and field lengths. Data content policy filters include encoding formats for character sets, restricting character data fields to only contain alpha-numeric characters, prohibiting special characters, and validating schema structures.

Practitioner Notes

Policy filter constraints define the boundaries of what your security filters can handle. If a filter encounters data it was not designed to inspect, it should fail closed — block the data rather than let it pass uninspected.

Example 1: On your email gateway, configure the attachment scanning policy to quarantine any attachment that exceeds the scanner's maximum file size or nesting depth. In Defender for Office 365, set the Safe Attachments policy to Block rather than Monitor for unscannable files.

Example 2: On your web proxy, configure SSL inspection to block connections that use unsupported cipher suites or certificate pinning that prevents inspection. These connections bypass your content filters, so blocking them is the safe default.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management