| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CA-3 |
FedRAMP_High_R4_CA-3 |
FedRAMP High CA-3 |
Security Assessment And Authorization |
System Interconnections |
Shared |
n/a |
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
Supplemental Guidance: This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.
Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4.
References: FIPS Publication 199; NIST Special Publication 800-47. |
link |
2 |
| FedRAMP_Moderate_R4 |
CA-3 |
FedRAMP_Moderate_R4_CA-3 |
FedRAMP Moderate CA-3 |
Security Assessment And Authorization |
System Interconnections |
Shared |
n/a |
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
Supplemental Guidance: This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.
Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4.
References: FIPS Publication 199; NIST Special Publication 800-47. |
link |
2 |
| hipaa |
0832.09m3Organizational.14-09.m |
hipaa-0832.09m3Organizational.14-09.m |
0832.09m3Organizational.14-09.m |
08 Network Protection |
0832.09m3Organizational.14-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization uses at least two DNS servers located on different subnets, which are geographically separated and perform different roles (internal and external) to eliminate single points of failure and enhance redundancy. |
|
3 |
| hipaa |
0836.09.n2Organizational.1-09.n |
hipaa-0836.09.n2Organizational.1-09.n |
0836.09.n2Organizational.1-09.n |
08 Network Protection |
0836.09.n2Organizational.1-09.n 09.06 Network Security Management |
Shared |
n/a |
The organization formally authorizes and documents the characteristics of each connection from an information system to other information systems outside the organization. |
|
4 |
| hipaa |
0837.09.n2Organizational.2-09.n |
hipaa-0837.09.n2Organizational.2-09.n |
0837.09.n2Organizational.2-09.n |
08 Network Protection |
0837.09.n2Organizational.2-09.n 09.06 Network Security Management |
Shared |
n/a |
Formal agreements with external information system providers include specific obligations for security and privacy. |
|
20 |
| hipaa |
0865.09m2Organizational.13-09.m |
hipaa-0865.09m2Organizational.13-09.m |
0865.09m2Organizational.13-09.m |
08 Network Protection |
0865.09m2Organizational.13-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization (i) authorizes connections from the information system to other information systems outside of the organization through the use of interconnection security agreements or other formal agreement; (ii) documents each connection, the interface characteristics, security requirements, and the nature of the information communicated; (iii) employs a deny-all, permit-by-exception policy for allowing connections from the information system to other information systems outside of the organization; and, (iv) applies a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed. |
|
5 |
| hipaa |
0885.09n2Organizational.3-09.n |
hipaa-0885.09n2Organizational.3-09.n |
0885.09n2Organizational.3-09.n |
08 Network Protection |
0885.09n2Organizational.3-09.n 09.06 Network Security Management |
Shared |
n/a |
The organization reviews and updates the interconnection security agreements on an ongoing basis, verifying enforcement of security requirements. |
|
3 |
| hipaa |
1408.09e1System.1-09.e |
hipaa-1408.09e1System.1-09.e |
1408.09e1System.1-09.e |
14 Third Party Assurance |
1408.09e1System.1-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
Service Level Agreements (SLAs) or contracts with an agreed service arrangement address liability, service definitions, security controls, and other aspects of services management. |
|
6 |
| ISO27001-2013 |
A.13.1.2 |
ISO27001-2013_A.13.1.2 |
ISO 27001:2013 A.13.1.2 |
Communications Security |
Security of network services |
Shared |
n/a |
Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. |
link |
16 |
| ISO27001-2013 |
A.13.2.1 |
ISO27001-2013_A.13.2.1 |
ISO 27001:2013 A.13.2.1 |
Communications Security |
Information transfer policies and procedures |
Shared |
n/a |
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
link |
32 |
| ISO27001-2013 |
A.13.2.2 |
ISO27001-2013_A.13.2.2 |
ISO 27001:2013 A.13.2.2 |
Communications Security |
Agreements on information transfer |
Shared |
n/a |
Agreements shall address the secure transfer of business information between the organization and external parties. |
link |
11 |
| NIST_SP_800-53_R4 |
CA-3 |
NIST_SP_800-53_R4_CA-3 |
NIST SP 800-53 Rev. 4 CA-3 |
Security Assessment And Authorization |
System Interconnections |
Shared |
n/a |
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
Supplemental Guidance: This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.
Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4.
References: FIPS Publication 199; NIST Special Publication 800-47. |
link |
2 |
| NIST_SP_800-53_R5 |
CA-3 |
NIST_SP_800-53_R5_CA-3 |
NIST SP 800-53 Rev. 5 CA-3 |
Assessment, Authorization, and Monitoring |
Information Exchange |
Shared |
n/a |
a. Approve and manage the exchange of information between the system and other systems using [Selection (OneOrMore): interconnection security agreements;information exchange security agreements;memoranda of understanding or agreement;service level agreements;user agreements;nondisclosure agreements; [Assignment: organization-defined type of agreement] ] ;
b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and
c. Review and update the agreements [Assignment: organization-defined frequency]. |
link |
2 |