NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(5)Embedded Data Types

Enforce {{ insert: param, ac-04.05_odp }} on embedding data types within other data types.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes inserting files as objects within other files and using compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools.

Practitioner Notes

Data files can contain embedded content — macros in Word docs, scripts in PDFs, embedded OLE objects. This control requires you to detect and manage these embedded data types as they flow across boundaries.

Example 1: On your email gateway (Microsoft Defender for Office 365), configure Safe Attachments to detonate attachments in a sandbox before delivery. Enable the policy to block documents with macros under Policies → Anti-malware → Common attachment types filter.

Example 2: Deploy Votiro or a similar CDR (Content Disarm and Reconstruct) solution on your file transfer gateway. It strips all active content (macros, embedded objects, scripts) from incoming files while preserving the readable content. Files are rebuilt clean before delivery to users.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management