The layer 2 switch, when transferring information between different security domains, must apply the same security policy filtering to metadata as it applies to data payloads.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-278985 | SRG-NET-000328-L2S-000043 | SV-278985r1137780_rule | CCI-002211 | medium |
| Description | ||||
| Subjecting metadata to the same filtering and inspection policies as payload data avoids the potential for data compromise through covert channels and the bypass of security policy filtering. This requirement applies to layer 2 switches that transfer information between different security domains (e.g., cross-domain solutions). This requirement also applies to Zero Trust initiatives. | ||||
| STIG | Date | |||
| Layer 2 Switch Security Requirements Guide | 2026-02-12 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
AC-4(19)
1.00
- DISA · V3R4 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-002211
1.00
- DISA · V3R4 · disa_xccdf · related
Details
Check Text (C-278985r1137780_chk)
Verify the layer 2 switch is configured to apply the same security policy filtering to metadata as it applies to data payloads, when transferring information between different security domains.
If the layer 2 switch does apply the same security policy filtering to metadata as it applies to data payloads, when transferring information between different security domains, this is a finding.
Fix Text (F-83438r1137779_fix)
Configure the layer 2 switch to apply the same security policy filtering to metadata as it applies to data payloads, when transferring information between different security domains.