AC-4(11): Configuration of Security or Privacy Policy Filters

9 min readLast verified: February 2026By

AC-4(11) requires you to give privileged administrators a controlled, auditable way to configure security or privacy policy filters (for example, network, application, API, email, or data-loss filters) so the organization can enforce different policies across environments, data types, or user populations. To operationalize it, define which filters matter, restrict who can change them, implement change control, and retain evidence that configurations match approved policies. 1

Key takeaways:

  • You must support configurable policy filters, not hard-coded “one policy for everything.” 1
  • Limit configuration rights to privileged administrators and prove configurations map to approved policy requirements. 1
  • Auditors will look for change records, baselines, and verification that filters enforce distinct security or privacy policies as intended. 2

AC-4(11): configuration of security or privacy policy filters requirement is a practical control disguised as a short sentence. You are being asked to make policy enforcement “configurable by design” and to put that configurability in the hands of tightly controlled privileged administrator roles. That matters whenever your organization must apply different rules to different networks, systems, data classifications, tenants, missions, or privacy contexts.

In real programs, “policy filters” shows up as a mix of technologies: firewalls and micro-segmentation rules, web proxies, secure email gateways, API gateways, data loss prevention (DLP), SaaS conditional access policies, container/Kubernetes admission controls, and cloud policy engines. AC-4(11) does not force you into a specific tool. It forces you to prove that (1) privileged administrators can configure the relevant filters, and (2) the configuration supports multiple security or privacy policies, rather than a single static ruleset. 1

The fastest way to implement this requirement is to treat it like a “policy-to-configuration mapping” problem: name the policies, name the filters that enforce them, assign privileged admin roles, and run disciplined change control with recurring validation.

Regulatory text

Requirement (excerpt): “Provide the capability for privileged administrators to configure {{ insert: param, ac-4.11_prm_1 }} to support different security or privacy policies.” 1

Operator translation: you must:

  1. Identify the “policy filters” in scope for your system (the parameter in the excerpt is where your organization defines the specific filter types).
  2. Ensure privileged administrators can configure those filters (role-based, not ad hoc).
  3. Ensure the filters can be configured to enforce different security or privacy policies (for example, different rules per environment, tenant, data type, or trust zone). 1

Plain-English interpretation

AC-4(11) is about control and adaptability:

  • Control: only privileged administrators should be able to change enforcement filters, and you must be able to show who changed what and why.
  • Adaptability: the same platform must be able to enforce different policy outcomes through configuration (example: stricter egress controls for regulated data zones; different privacy handling rules for certain datasets).

If your enforcement is “baked in” (hard-coded rules, untracked console changes, inconsistent scripts), this control will fail in an assessment even if your security posture is otherwise strong. 2

Who it applies to

Entity scope (typical):

  • Federal information systems.
  • Contractor systems handling federal data. 1

Operational scope (where you feel it):

  • Network boundary enforcement (on-prem, cloud, hybrid).
  • Segmentation and zero trust projects (policy differs by zone).
  • Privacy programs (policy differs by dataset, purpose limitation, or sharing constraints).
  • Multi-tenant or multi-mission environments (policy differs by tenant/mission).

Teams involved:

  • Security engineering / network security (filter tooling and baselines).
  • IAM team (privileged admin roles, MFA, conditional access).
  • GRC / compliance (policy mapping, evidence, assessment readiness).
  • Platform/cloud ops (infrastructure-as-code, CI/CD, configuration management).

What you actually need to do (step-by-step)

1) Define “policy filters” for your environment (parameterize AC-4(11))

AC-4(11) includes an organization-defined parameter for what filters you mean. Pick a short, auditable list that matches how you enforce policy, such as:

  • Network firewalls / security groups / NACLs
  • Web proxy filtering
  • Secure email gateway rules
  • API gateway policies (authZ, rate limiting, schema validation)
  • DLP policies (endpoint, email, cloud)
  • Cloud policy engines (for example, guardrails that deny noncompliant resources)

Deliverable: AC-4(11) parameter statement in your SSP/control narrative that lists the filter categories you rely on. 1

2) Enumerate the “different security or privacy policies” you must support

Do not keep this abstract. Write the policies as implementable rule families, for example:

  • “Regulated data zone: deny outbound to public internet except approved update repos.”
  • “Non-production: allow broader egress but block exfiltration of sensitive data patterns.”
  • “Privacy dataset X: block sharing to third parties unless approved destination tags present.”

Deliverable: Policy-to-filter mapping table (example template below).

3) Implement privileged administrator control over configuration

You need a concrete, testable answer to: “Who can change policy filters, and how is it controlled?”

  • Define privileged roles (for example, Firewall Admin, DLP Policy Admin, API Gateway Admin).
  • Enforce least privilege and separation of duties where feasible (policy approver vs implementer).
  • Require strong authentication for privileged access and restrict where admin actions can occur (jump host, managed workstation, or PAM).

Deliverables:

  • Role definitions and group memberships (export/screenshot plus system report).
  • Access approval workflow (ticketing evidence).
  • Privileged access procedure for filter configuration changes.

4) Standardize configuration methods (reduce “snowflake” admin changes)

AC-4(11) is easier to defend when configuration is consistent:

  • Use version control for filter rules where possible (firewall policies as code, WAF rulesets, proxy allowlists).
  • If a console must be used, force ticket linkage and logging, and document “break-glass” only for emergencies.
  • Maintain configuration baselines by environment (prod vs non-prod) and by zone/tenant.

Deliverables:

  • Baseline configurations (exported rulesets, policy JSON, infrastructure-as-code modules).
  • Configuration standards (naming conventions, tagging, rule documentation requirements).

5) Prove the filters actually support different policies

Assessors will challenge you here: “Show me the differences and why they exist.”

  • Maintain at least one concrete example of distinct policy sets (for example, “Policy A: regulated zone”, “Policy B: general zone”) mapped to actual filter rules.
  • Add verification: rule review checklist, automated policy tests, or periodic access path validation.

Deliverables:

  • Policy comparison evidence (diffs between rulesets; separate policy objects per zone).
  • Validation records (test results, review sign-off, or automated checks output).

6) Operate change control and monitoring

Configuration capability without governance becomes risk.

  • Route filter changes through change management (ticket, risk impact, approval, implementation, validation).
  • Log all privileged administrative actions and retain logs per your retention policy.
  • Review changes for unauthorized modifications and drift.

Deliverables:

  • Change tickets with approvals and implementation notes.
  • Audit logs of admin actions (who/what/when).
  • Periodic review records (rule recertification, drift reports).

Required evidence and artifacts to retain (audit-ready)

Use this checklist to build an “AC-4(11) evidence packet”:

Evidence What it proves Owner
SSP/control narrative with AC-4(11) parameter (filter types) Defined scope of “policy filters” GRC + Security Eng
Policy-to-filter mapping table Filters enforce named security/privacy policies GRC
Privileged admin role design + membership exports Only privileged admins can configure filters IAM/SecOps
Configuration baselines (exports or IaC repo references) Standardized, repeatable configurations Platform/SecEng
Change tickets + approvals + validation Controlled change process ITSM/Change Mgmt
Admin action logs Traceability of configuration actions SecOps/SIEM

Daydream (as a workflow system) fits naturally here when you need a single place to map AC-4(11) to an owner, a documented procedure, and recurring evidence artifacts so audits do not turn into screenshot hunts. 1

Common exam/audit questions and hangups

Expect these questions in a NIST 800-53 assessment context:

  • “What are your policy filters for AC-4(11), specifically?” 1
  • “Show me who has privileged rights to change them, and how access is approved.”
  • “Demonstrate two different policies implemented through configuration, not just documentation.”
  • “How do you prevent and detect unauthorized changes?”
  • “Where is the evidence that changes were reviewed and validated?”

Hangups that slow teams down:

  • The parameter is not defined, so scope is vague and evidence is scattered.
  • “Different policies” are described in a policy PDF but not realized as separate rule sets.
  • Admin access exists, but there is no authoritative list of privileged admins and no log retention story.

Frequent implementation mistakes (and how to avoid them)

  1. Mistake: Treating “filters” as only network firewalls.
    Fix: include the enforcement points that actually implement policy in your architecture (proxy, API gateway, DLP, cloud guardrails). Keep the list tight and defensible. 1

  2. Mistake: One global ruleset with informal exceptions.
    Fix: create explicit policy objects per zone/tenant/context, with naming and ownership, then map each to the policy requirement it implements.

  3. Mistake: Console changes with no traceability.
    Fix: require tickets, enable admin action logging, and prefer version-controlled rules where feasible.

  4. Mistake: Privileged admin sprawl.
    Fix: define roles, review membership, remove standing access where possible, and document break-glass.

Enforcement context and risk implications

No public enforcement cases were provided for this requirement in the supplied source catalog, so this page focuses on assessment and operational risk.

Risk if you fail AC-4(11) tends to show up as:

  • Inability to enforce stricter policies for sensitive data zones.
  • Unauthorized or unreviewed filter changes that open connectivity paths or allow data flows that violate privacy constraints.
  • Weak auditability, which becomes a finding even if your intent is sound. 2

Practical execution plan (30/60/90-day)

Use a phased plan with concrete outputs; treat the “days” as naming only, not a promise of duration.

First 30 days (Immediate)

  • Name the in-scope policy filters (the AC-4(11) parameter) and get owner sign-off. 1
  • Build the policy-to-filter mapping table for the top environments/zones.
  • Produce the privileged admin roster for each filter platform (authoritative export).
  • Turn on or verify admin action logging for the platforms in scope.

By 60 days (Near-term)

  • Establish baselines: export current rulesets or codify them in version control.
  • Implement change control requirements for filter changes (ticket, approval, validation notes).
  • Create at least two distinct policy configurations and document the differences with evidence (rule diffs, screenshots, or policy object exports).

By 90 days (Operationalize)

  • Add recurring review: rule recertification and privileged membership review.
  • Add drift detection where feasible (config monitoring, alerts on changes).
  • Package evidence for assessors: a single AC-4(11) folder/workspace with the narrative, mappings, baselines, tickets, and logs.

If your program struggles with repeatable evidence collection, Daydream becomes the system of record to assign the control owner, store the procedure, and schedule recurring evidence requests tied to AC-4(11). 1

Frequently Asked Questions

What counts as a “security or privacy policy filter” for AC-4(11)?

It’s any technical enforcement point that can permit, deny, transform, or inspect traffic/data based on policy rules, as defined by your organization’s AC-4(11) parameter. Write down the filter categories you rely on and keep the scope stable for audits. 1

Do we need multiple tools to meet the “different policies” requirement?

No. You need the capability to configure your filters to enforce different policies, which can be done inside one platform using separate policy objects, rule groups, environments, or tenants. Prove the differences with configuration evidence. 1

If our filters are managed by a third party MSSP, can we still comply?

Yes, if privileged administration is controlled and auditable, and you can demonstrate the MSSP can configure filters to match your different approved policies. Contractually require evidence, change records, and admin action logs aligned to your control narrative. 2

What’s the minimum evidence an auditor will accept?

Expect to show (1) defined filter scope, (2) privileged admin access controls, (3) configuration baselines, and (4) change records that map changes to approved policies. Missing any one of those usually leads to a documentation or operating effectiveness gap. 2

How do we handle emergency changes without failing AC-4(11)?

Use a documented break-glass procedure: time-bound privileged access, mandatory logging, and a post-change review ticket that captures what changed and why. Keep the break-glass list short and reviewed. 2

Where does AC-4(11) overlap with other access control requirements?

AC-4(11) sits inside information flow enforcement and focuses on configurable filters; it commonly depends on privileged access management, change control, and logging controls. Treat those as dependencies and cross-reference them in your SSP to reduce duplicated evidence. 2

Footnotes

  1. NIST SP 800-53 Rev. 5 OSCAL JSON

  2. NIST SP 800-53 Rev. 5

Frequently Asked Questions

What counts as a “security or privacy policy filter” for AC-4(11)?

It’s any technical enforcement point that can permit, deny, transform, or inspect traffic/data based on policy rules, as defined by your organization’s AC-4(11) parameter. Write down the filter categories you rely on and keep the scope stable for audits. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

Do we need multiple tools to meet the “different policies” requirement?

No. You need the capability to configure your filters to enforce different policies, which can be done inside one platform using separate policy objects, rule groups, environments, or tenants. Prove the differences with configuration evidence. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

If our filters are managed by a third party MSSP, can we still comply?

Yes, if privileged administration is controlled and auditable, and you can demonstrate the MSSP can configure filters to match your different approved policies. Contractually require evidence, change records, and admin action logs aligned to your control narrative. (Source: NIST SP 800-53 Rev. 5)

What’s the minimum evidence an auditor will accept?

Expect to show (1) defined filter scope, (2) privileged admin access controls, (3) configuration baselines, and (4) change records that map changes to approved policies. Missing any one of those usually leads to a documentation or operating effectiveness gap. (Source: NIST SP 800-53 Rev. 5)

How do we handle emergency changes without failing AC-4(11)?

Use a documented break-glass procedure: time-bound privileged access, mandatory logging, and a post-change review ticket that captures what changed and why. Keep the break-glass list short and reviewed. (Source: NIST SP 800-53 Rev. 5)

Where does AC-4(11) overlap with other access control requirements?

AC-4(11) sits inside information flow enforcement and focuses on configurable filters; it commonly depends on privileged access management, change control, and logging controls. Treat those as dependencies and cross-reference them in your SSP to reduce duplicated evidence. (Source: NIST SP 800-53 Rev. 5)

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream