DoD STIGs – V-32225


Title: Applications must enforce information flow using dynamic control based on policy that allows or disallows information flow based on changing conditions or operational considerations.

Vulnerability ID: V-32225


IA Controls: None

Severity: medium

Description: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information.

A few examples of flow control restrictions include: keeping export controlled information from being transmitted in the clear to the Internet, blocking outside traffic claiming to be from within the organization and not passing any web requests to the Internet that are not from the internal web proxy. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, devices) within information systems and between interconnected systems.

Flow control is based on the characteristics of the information and/or the information path. Flow control is also based on the characteristics of the information and/or the information path. Specific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) employing rule sets or establish configuration settings restricting information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on content (e.g., using key word searches or document characteristics).

This requirement applies only to network devices specifically for handling flow control. This requirement is NA for databases.

Check Text: This check is NA for databases.

Fix Text: This fix is NA for databases.


Interpreting V-32225:

As this requirement focuses on network device compliance, it doesn’t really apply to SQL Server. You should still make sure connections used by SQL Server are secure. This means setting up SQL Server to use SSL on connections, to verifying you are aware of what each linked server and endpoint is used for and secured.

Return to the DoD STIGs – Database Security Requirements Guide

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.