NIST-800-53-AC-4

Information Flow Enforcement

Access Control Policies for 18F

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on the 18F Access Control Policy Section 3 - Information Flow Enforcement which states:

  • 18F enforces approved authorizations for controlling the flow of information within its information systems and between interconnected systems in accordance with applicable federal laws and 18F policies and procedures.
  • 18F shall use flow control restrictions to include: keeping export controlled information from being transmitted in the clear to the internet, blocking outside traffic that claims to be from within the organization and not passing any web requests to the internet that are not from the internal web proxy.
  • 18F shall use boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on content (e.g., using keyword searches or document characteristics.

Covered By:

Application Security Groups

Cloud.Gov enforces security groups and other network traffic rules in a strict priority order. Cloud.Gov returns an allow, deny, or reject result for the first rule that matches the outbound traffic request parameters, and does not evaluate any lower-priority rules Cloud.Gov implements network traffic rules using Linux iptables on the component VMs. DevOps configures rules to prevent system access from external networks and between internal components, and to restrict applications from establishing connections over the DEA network interface. Cloud.Gov application security groups (ASG) consists of a list of access rules to control application outbound traffic. DEA Network Properties allow DevOps to configure the allow_networks and deny_networks parameters for DEAs to prohibit communication between system components and applications.

Amazon Virtual Private Cloud

The organization incorporates security features within its vpc such as IAM security groups, network ACLs, routing tables, and external gateways. Each of these items is complementary to providing a secure, isolated network. Network Access control lists (ACLs) are created to allow or deny traffic entering or exiting these subnets. Each subnet has routing tables attached to them to direct the flow of network traffic to Internet gateways, virtual private gateways, Network Address Translation (NAT) for private subnets. The organization's Virtual Private Cloud (VPC) infrastructure has firewalls enabling filtering on both ingress and egress traffic from its instances. The default group enables inbound communication from other members of the same group and outbound communication to any destination. Traffic is restricted by IP protocol, by service port, as well as source/destination IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).

User Account and Authentication (UAA) Server

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on the 18F Access Control Policy Section 3 - Information Flow Enforcement which states:

  • 18F enforces approved authorizations for controlling the flow of information within its information systems and between interconnected systems in accordance with applicable federal laws and 18F policies and procedures.
  • 18F shall use flow control restrictions to include: keeping export controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization and not passing any web requests to the Internet that are not from the internal web proxy.
  • 18F shall use boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on content (e.g., using key word searches or document characteristics.

results matching ""

    No results matching ""