NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(28)Linear Filter Pipelines

When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. The use of linear content filter pipelines ensures that filter processes are non-bypassable and always invoked. In general, the use of parallel filtering architectures for content filtering of a single data type introduces bypass and non-invocation issues.

Practitioner Notes

Linear filter pipelines process data through a sequence of filters in a fixed order. Each filter handles one aspect of inspection, and data must pass every stage to be allowed through.

Example 1: Configure your mail flow so inbound email passes through these stages in order: (1) SPF/DKIM/DMARC validation, (2) anti-spam scoring, (3) malware scanning, (4) DLP content inspection, (5) delivery. Each stage either passes the message to the next stage or quarantines it.

Example 2: On your web application firewall, configure rule groups to execute in sequence: (1) IP reputation check, (2) rate limiting, (3) SQL injection detection, (4) XSS detection, (5) custom business rules. A request must pass all five stages before reaching your application.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management