NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(27)Redundant/Independent Filtering Mechanisms

When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. Redundant and independent content filtering eliminates a single point of failure filtering system. Independence is defined as the implementation of a content filter that uses a different code base and supporting libraries (e.g., two JPEG filters using different vendors’ JPEG libraries) and multiple, independent system processes.

Practitioner Notes

Using multiple independent filtering mechanisms means that if one filter misses something, the second one has a chance to catch it. Defense in depth applied to content inspection.

Example 1: Layer your email security with both Microsoft Defender for Office 365 and a third-party gateway like Proofpoint. Inbound mail passes through Proofpoint first (external filter), then Microsoft's native filtering (internal filter). Two different engines with different detection approaches.

Example 2: For web traffic, run your proxy (Zscaler) in series with a network IPS (Snort, Suricata). The proxy handles URL filtering and SSL inspection, while the IPS inspects the decrypted traffic for exploit signatures. Different vendors, different detection logic, same traffic.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management