last sync: 2024-Jun-14 18:20:16 UTC

Require interconnection security agreements | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Require interconnection security agreements
Id 096a7055-30cb-2db4-3fda-41b20ac72667
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1151 - Require interconnection security agreements
Additional metadata Name/Id: CMA_C1151 / CMA_C1151
Category: Documentation
Title: Require interconnection security agreements
Ownership: Customer
Description: The customer is responsible for authorizing connections from the customer-deployed system to external systems using Interconnection Security Assessments.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 29 compliance controls are associated with this Policy definition 'Require interconnection security agreements' (096a7055-30cb-2db4-3fda-41b20ac72667)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CA-3 FedRAMP_High_R4_CA-3 FedRAMP High CA-3 Security Assessment And Authorization System Interconnections Shared n/a The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. Supplemental Guidance: This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. References: FIPS Publication 199; NIST Special Publication 800-47. link 2
FedRAMP_Moderate_R4 CA-3 FedRAMP_Moderate_R4_CA-3 FedRAMP Moderate CA-3 Security Assessment And Authorization System Interconnections Shared n/a The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. Supplemental Guidance: This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. References: FIPS Publication 199; NIST Special Publication 800-47. link 2
hipaa 0819.09m1Organizational.23-09.m hipaa-0819.09m1Organizational.23-09.m 0819.09m1Organizational.23-09.m 08 Network Protection 0819.09m1Organizational.23-09.m 09.06 Network Security Management Shared n/a A current network diagram (including wireless networks) exists, and is updated whenever there are network changes and no less than every six months. 2
hipaa 0832.09m3Organizational.14-09.m hipaa-0832.09m3Organizational.14-09.m 0832.09m3Organizational.14-09.m 08 Network Protection 0832.09m3Organizational.14-09.m 09.06 Network Security Management Shared n/a The organization uses at least two DNS servers located on different subnets, which are geographically separated and perform different roles (internal and external) to eliminate single points of failure and enhance redundancy. 3
hipaa 0835.09n1Organizational.1-09.n hipaa-0835.09n1Organizational.1-09.n 0835.09n1Organizational.1-09.n 08 Network Protection 0835.09n1Organizational.1-09.n 09.06 Network Security Management Shared n/a Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely. 7
hipaa 0836.09.n2Organizational.1-09.n hipaa-0836.09.n2Organizational.1-09.n 0836.09.n2Organizational.1-09.n 08 Network Protection 0836.09.n2Organizational.1-09.n 09.06 Network Security Management Shared n/a The organization formally authorizes and documents the characteristics of each connection from an information system to other information systems outside the organization. 4
hipaa 0837.09.n2Organizational.2-09.n hipaa-0837.09.n2Organizational.2-09.n 0837.09.n2Organizational.2-09.n 08 Network Protection 0837.09.n2Organizational.2-09.n 09.06 Network Security Management Shared n/a Formal agreements with external information system providers include specific obligations for security and privacy. 20
hipaa 0865.09m2Organizational.13-09.m hipaa-0865.09m2Organizational.13-09.m 0865.09m2Organizational.13-09.m 08 Network Protection 0865.09m2Organizational.13-09.m 09.06 Network Security Management Shared n/a The organization (i) authorizes connections from the information system to other information systems outside of the organization through the use of interconnection security agreements or other formal agreement; (ii) documents each connection, the interface characteristics, security requirements, and the nature of the information communicated; (iii) employs a deny-all, permit-by-exception policy for allowing connections from the information system to other information systems outside of the organization; and, (iv) applies a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed. 5
hipaa 0885.09n2Organizational.3-09.n hipaa-0885.09n2Organizational.3-09.n 0885.09n2Organizational.3-09.n 08 Network Protection 0885.09n2Organizational.3-09.n 09.06 Network Security Management Shared n/a The organization reviews and updates the interconnection security agreements on an ongoing basis, verifying enforcement of security requirements. 3
hipaa 1119.01j2Organizational.3-01.j hipaa-1119.01j2Organizational.3-01.j 1119.01j2Organizational.3-01.j 11 Access Control 1119.01j2Organizational.3-01.j 01.04 Network Access Control Shared n/a Network equipment is checked for unanticipated dial-up capabilities. 5
hipaa 1408.09e1System.1-09.e hipaa-1408.09e1System.1-09.e 1408.09e1System.1-09.e 14 Third Party Assurance 1408.09e1System.1-09.e 09.02 Control Third Party Service Delivery Shared n/a Service Level Agreements (SLAs) or contracts with an agreed service arrangement address liability, service definitions, security controls, and other aspects of services management. 6
ISO27001-2013 A.13.1.2 ISO27001-2013_A.13.1.2 ISO 27001:2013 A.13.1.2 Communications Security Security of network services Shared n/a Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. link 16
ISO27001-2013 A.13.2.1 ISO27001-2013_A.13.2.1 ISO 27001:2013 A.13.2.1 Communications Security Information transfer policies and procedures Shared n/a Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. link 32
ISO27001-2013 A.13.2.2 ISO27001-2013_A.13.2.2 ISO 27001:2013 A.13.2.2 Communications Security Agreements on information transfer Shared n/a Agreements shall address the secure transfer of business information between the organization and external parties. link 11
mp.com.1 Secure perimeter mp.com.1 Secure perimeter 404 not found n/a n/a 56
mp.com.2 Protection of confidentiality mp.com.2 Protection of confidentiality 404 not found n/a n/a 55
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
mp.com.4 Separation of information flows on the network mp.com.4 Separation of information flows on the network 404 not found n/a n/a 51
mp.info.2 Rating of information mp.info.2 Rating of information 404 not found n/a n/a 45
NIST_SP_800-53_R4 CA-3 NIST_SP_800-53_R4_CA-3 NIST SP 800-53 Rev. 4 CA-3 Security Assessment And Authorization System Interconnections Shared n/a The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. Supplemental Guidance: This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. References: FIPS Publication 199; NIST Special Publication 800-47. link 2
NIST_SP_800-53_R5 CA-3 NIST_SP_800-53_R5_CA-3 NIST SP 800-53 Rev. 5 CA-3 Assessment, Authorization, and Monitoring Information Exchange Shared n/a a. Approve and manage the exchange of information between the system and other systems using [Selection (OneOrMore): interconnection security agreements;information exchange security agreements;memoranda of understanding or agreement;service level agreements;user agreements;nondisclosure agreements; [Assignment: organization-defined type of agreement] ] ; b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and c. Review and update the agreements [Assignment: organization-defined frequency]. link 2
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
op.exp.2 Security configuration op.exp.2 Security configuration 404 not found n/a n/a 112
op.exp.3 Security configuration management op.exp.3 Security configuration management 404 not found n/a n/a 123
op.ext.1 Contracting and service level agreements op.ext.1 Contracting and service level agreements 404 not found n/a n/a 35
op.ext.4 Interconnection of systems op.ext.4 Interconnection of systems 404 not found n/a n/a 68
op.mon.1 Intrusion detection op.mon.1 Intrusion detection 404 not found n/a n/a 53
org.3 Security procedures org.3 Security procedures 404 not found n/a n/a 83
org.4 Authorization process org.4 Authorization process 404 not found n/a n/a 127
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 096a7055-30cb-2db4-3fda-41b20ac72667
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC