| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CA-3(5) |
FedRAMP_High_R4_CA-3(5) |
FedRAMP High CA-3 (5) |
Security Assessment And Authorization |
Restrictions On External System Connections |
Shared |
n/a |
The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems.
Supplemental Guidance: Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable. Related control: CM-7. |
link |
1 |
| FedRAMP_Moderate_R4 |
CA-3(5) |
FedRAMP_Moderate_R4_CA-3(5) |
FedRAMP Moderate CA-3 (5) |
Security Assessment And Authorization |
Restrictions On External System Connections |
Shared |
n/a |
The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems.
Supplemental Guidance: Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable. Related control: CM-7. |
link |
1 |
| hipaa |
0865.09m2Organizational.13-09.m |
hipaa-0865.09m2Organizational.13-09.m |
0865.09m2Organizational.13-09.m |
08 Network Protection |
0865.09m2Organizational.13-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization (i) authorizes connections from the information system to other information systems outside of the organization through the use of interconnection security agreements or other formal agreement; (ii) documents each connection, the interface characteristics, security requirements, and the nature of the information communicated; (iii) employs a deny-all, permit-by-exception policy for allowing connections from the information system to other information systems outside of the organization; and, (iv) applies a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed. |
|
5 |
| hipaa |
0886.09n2Organizational.4-09.n |
hipaa-0886.09n2Organizational.4-09.n |
0886.09n2Organizational.4-09.n |
08 Network Protection |
0886.09n2Organizational.4-09.n 09.06 Network Security Management |
Shared |
n/a |
The organization employs and documents in a formal agreement or other document—either i) allow-all, deny-by-exception, or ii) deny-all, permit-by-exception (preferred)—policy for allowing specific information systems to connect to external information systems. |
|
2 |
| NIST_SP_800-53_R4 |
CA-3(5) |
NIST_SP_800-53_R4_CA-3(5) |
NIST SP 800-53 Rev. 4 CA-3 (5) |
Security Assessment And Authorization |
Restrictions On External System Connections |
Shared |
n/a |
The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems.
Supplemental Guidance: Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable. Related control: CM-7. |
link |
1 |
| SWIFT_CSCF_v2022 |
1.5A |
SWIFT_CSCF_v2022_1.5A |
SWIFT CSCF v2022 1.5A |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. |
Shared |
n/a |
A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment. |
link |
26 |