AC.4.023 Control information flows between security domains on connected systems.

CMMC Practice AC.4.023: Control information flows between security domains on connected systems.

Links to Publicly Available Resources

CMMC CLARIFICATION (Ref CMMC – Appendix B)

This practice is not concerned with classified security domains. It addresses information flow among domains containing CUI and those that do not. While access control is concerned with controlling access to information by users and processes, controlling information flow (information flow control) is concerned with where information is allowed to move within a system and between systems. In general, information flow control can apply to any needed flow restrictions. For this CMMC practice the flows of concern are primarily between CUI authorized and CUI not-authorized components/systems. Any attempt to move CUI to a domain that has not been designated as a domain allowed to store or process CUI must be blocked.