The Cisco ACI must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-272061	SRG-NET-000018-RTR-000001	CACI-RT-000001	SV-272061r1168386_rule	2025-12-11	1

Description
Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems. In Cisco ACI, the administrator uses "contracts" to define security policies that control traffic between different endpoint groups (EPGs), essentially acting as a more granular and flexible ACL mechanism by specifying source and destination addresses, ports, and protocols based on the desired network segmentation needs. Add multiple filter rules to create a comprehensive set of allowed traffic patterns. Satisfies: SRG-NET-000019-RTR-000005, SRG-NET-000715-RTR-000120

Description

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. The flow of all network traffic must be monitored and controlled so it does not introduce any unacceptable risk to the network infrastructure or data. Information flow control policies and enforcement mechanisms are commonly employed by organizations to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems. In Cisco ACI, the administrator uses "contracts" to define security policies that control traffic between different endpoint groups (EPGs), essentially acting as a more granular and flexible ACL mechanism by specifying source and destination addresses, ports, and protocols based on the desired network segmentation needs. Add multiple filter rules to create a comprehensive set of allowed traffic patterns. Satisfies: SRG-NET-000019-RTR-000005, SRG-NET-000715-RTR-000120

ℹ️ Check
Review the switch configuration to verify that contracts are configured. 1. To check contract configuration, navigate to Tenants >> {{Your_Tenant}} >> Contracts >> Standard (whitelist)/Taboos (blacklist) >> {{Your_Contract}} >> {{your_subject}}. 2. To check the configuration for the Provider and Consumer of the contract, navigate to Tenants >> {{Your_Tenant}} >> Application Profiles >> {{ your_Application_Profile}} >> Application EPGs >> {{Your_EPG}} >> Contracts. If the switch is not configured to use contract filters to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies, this is a finding.

ℹ️ Check

Review the switch configuration to verify that contracts are configured. 1. To check contract configuration, navigate to Tenants >> {{Your_Tenant}} >> Contracts >> Standard (whitelist)/Taboos (blacklist) >> {{Your_Contract}} >> {{your_subject}}. 2. To check the configuration for the Provider and Consumer of the contract, navigate to Tenants >> {{Your_Tenant}} >> Application Profiles >> {{ your_Application_Profile}} >> Application EPGs >> {{Your_EPG}} >> Contracts. If the switch is not configured to use contract filters to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies, this is a finding.

✔️ Fix
Configure "contracts" to define security policies that control traffic between different EPGs. Contract subjects must combine filters that will designate what traffic is allowed to pass through the contract, but for the contract to work it must be applied where the Provider contract is attached to the service side and the Consumer is attached to the user side. Traffic must be initiated from the Consumer EPG to the Provider EPG, including filters and security policies. 1. Configure the details of each contract. Navigate to Tenants >> {{Your_Tenant}} >> Contracts >> Standard (whitelist)/Taboos (blacklist) >> {{Your_Contract}} >> {{your_subject}}. 2. Configure the details of each Provider and Consumer of the contract. Navigate to Tenants >> {{Your_Tenant}} >> Application Profiles >> {{ your_Application_Profile}} >> Application EPGs >> {{Your_EPG}} >> Contracts.

✔️ Fix

Configure "contracts" to define security policies that control traffic between different EPGs. Contract subjects must combine filters that will designate what traffic is allowed to pass through the contract, but for the contract to work it must be applied where the Provider contract is attached to the service side and the Consumer is attached to the user side. Traffic must be initiated from the Consumer EPG to the Provider EPG, including filters and security policies. 1. Configure the details of each contract. Navigate to Tenants >> {{Your_Tenant}} >> Contracts >> Standard (whitelist)/Taboos (blacklist) >> {{Your_Contract}} >> {{your_subject}}. 2. Configure the details of each Provider and Consumer of the contract. Navigate to Tenants >> {{Your_Tenant}} >> Application Profiles >> {{ your_Application_Profile}} >> Application EPGs >> {{Your_EPG}} >> Contracts.