Prevent Exfiltration
System and Communications Protection
NIST Control Text
Prevent the exfiltration of information; and
Conduct exfiltration tests [Assignment: organization-defined frequency].
NIST Discussion
Prevention of exfiltration applies to both the intentional and unintentional exfiltration of information. Techniques used to prevent the exfiltration of information from systems may be implemented at internal endpoints, external boundaries, and across managed interfaces and include adherence to protocol formats, monitoring for beaconing activity from systems, disconnecting external network interfaces except when explicitly needed, employing traffic profile analysis to detect deviations from the volume and types of traffic expected, call backs to command and control centers, conducting penetration testing, monitoring for steganography, disassembling and reassembling packet headers, and using data loss and data leakage prevention tools. Devices that enforce strict adherence to protocol formats include deep packet inspection firewalls and Extensible Markup Language (XML) gateways. The devices verify adherence to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices that operate at the network or transport layers. The prevention of exfiltration is similar to data loss prevention or data leakage prevention and is closely associated with cross-domain solutions and system guards that enforce information flow requirements.
SL5 Supplemental Guidance
Organizations prevent exfiltration of covered models through physical bandwidth limitation on outbound flows from Weight Enclaves. Hardware-enforced rate limiting provides deterministic throughput caps that prevent weight exfiltration, even if attempts go undetected. This assumes covered models are substantially larger than required outputs crossing the boundary; if this assumption does not hold, alternative controls are required. Limits are calibrated based on model size and organizational threat model to make weight exfiltration infeasible within acceptable time scales.
Boundary bandwidth may be preserved through multiple strategies: placing systems requiring high data volumes within the Weight Enclave per SC-7(21) to avoid boundary bandwidth consumption entirely, or minimizing outbound data volume by processing outputs within the Weight Enclave before transfer. Examples include stripping thinking tokens from inference responses, aggregating results, extracting only necessary information, or exfiltrating high-level experiment plans to be implemented by less capable models running in the broader SL5 Network.
Organizations implement additional exfiltration prevention mechanisms, such as bandwidth accounting and monitoring, detection and response capabilities per SI-4 and IR-4, monitoring for steganography, and traffic profile analysis. Physical bandwidth limitation serves as the hard cap that bounds exfiltration risk even if other mechanisms are bypassed or detection fails.