Human Reviews
Access Control
NIST Control Text
Enforce the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions].
NIST Discussion
Organizations define security or privacy policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of or as a complement to automated security or privacy policy filtering. Human reviews may also be employed as deemed necessary by organizations.
Parameter Values
Assignment (information flows): Data quarantined by automated detection systems (AC-4(15))
Assignment (conditions): Automated detection systems flag content as potentially malicious; detection systems encounter processing errors or ambiguous cases
SL5 Supplemental Guidance
The organization requires human review of quarantined data before making clearance or rejection decisions. The organization defines review scope based on operational capacity and false positive rates: either all quarantined data or a sample sufficient to validate detection effectiveness.
Human reviews provide oversight of automated detection, enabling identification of false positives, confirmation of true detections, and discovery of attack patterns not yet captured by automated mechanisms. Higher-risk data receives more intensive review.