NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(15)Detection of Unsanctioned Information

When transferring information between different security domains, examine the information for the presence of {{ insert: param, ac-04.15_odp.01 }} and prohibit the transfer of such information in accordance with the {{ insert: param, ac-4.15_prm_2 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Unsanctioned information includes malicious code, information that is inappropriate for release from the source network, or executable code that could disrupt or harm the services or systems on the destination network.

Practitioner Notes

This control is about detecting data that should not be on your network or moving across your boundaries — like classified data on an unclassified system or PII in an unauthorized location.

Example 1: Deploy Spirion (formerly Identity Finder) or Microsoft Purview Data Map to scan your file shares, SharePoint sites, and databases for unsanctioned PII. Configure weekly scans and route discoveries to the data owner for remediation — either secure it properly or delete it.

Example 2: On your network DLP sensor (Forcepoint, Digital Guardian), configure rules to detect classification markings like SECRET, NOFORN, or CUI//SP-CTI in network traffic. If detected on your unclassified network, trigger an immediate alert to your security team for spillage investigation.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management