NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(23)Modify Non-releasable Information

When transferring information between different security domains, modify non-releasable information by implementing {{ insert: param, ac-04.23_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Modifying non-releasable information can help prevent a data spill or attack when information is transferred across security domains. Modification actions include masking, permutation, alteration, removal, or redaction.

Practitioner Notes

When information cannot be released as-is, this control says the system should modify it to remove the sensitive parts before allowing it to flow. Think redaction, sanitization, or downgrading.

Example 1: Use Adobe Acrobat Pro's redaction tool to permanently remove sensitive content from PDFs before external release. Important: use the actual Redact tool, not just black rectangles — the Redact tool removes the underlying text, while drawing a rectangle just covers it visually.

Example 2: For database exports going to a lower-classification environment, use SQL Server's Dynamic Data Masking or write ETL scripts that replace sensitive columns (SSN, names, addresses) with synthetic data before export. Validate the output to ensure no sensitive values survive.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management