home || catalog: SP800-53rev3 / class: Management / family: (CA) Security Assessment and Authorization ||
search controls:
search nistpubs:

AC
AT
AU
CA

CA-01
CA-02
CA-03 *
CA-04
CA-05
CA-06
CA-07

CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  CA-03: Information System Connections  

base control objective:
The organization:
a. Authorizes all connections from the information system to other information systems outside of the authorization boundary through the use of system connection agreements;
b. Documents the information system connections and associated security requirements for each connection; and
c. Monitors the information system connections on an ongoing basis verifying enforcement of documented security requirements.

supplemental objective information:
This control applies to persistent connections between the information system and other systems. This control is not intended to apply to transitory, user-controlled connections such as email and website browsing nor to connections with external providers who are only providing telecommunications and transmission services. Authorizing officials determine whether a specific connection is persistent verses transitory. The organization carefully considers the risks that may be introduced when systems are connected to other information systems with different security requirements and security controls, both within the organization and external to the organization. Each connection between information systems must be addressed individually, documenting the interface characteristics. The level of formality for this documentation varies depending upon the relationship between the information systems. The relationship ranges from information systems with the same owner for which there is no need of an agreement but simply a description of the interface characteristics, to systems within different agencies necessitating a formal Interconnection Security Agreement (ISA) and Memorandum of Understanding/Agreement (MOU/A). In every case, documenting the interface characteristics is required, yet the formality and approval process vary considerably even though all accomplish the same fundamental objective of managing the risk being incurred by the interconnection of the information systems. Risk considerations also include information systems sharing the same networks.

enhancements to the base objective:

(1) The organization prohibits the direct connection of an unclassified, national security system to an external network.
Enhancement Supplemental Guidance: An external network is a network that is not controlled by the organization (e.g., the Internet). No direct connection means that an information system cannot connect to an external network without the use of an approved boundary protection device (e.g., firewall) that mediates the communication between the system and the network.

(2) The organization prohibits the direct connection of a classified, national security system to an external network.
Enhancement Supplemental Guidance: An external network is a network that is not controlled by the organization (e.g., the Internet). No direct connection means that an information system cannot connect to an external network without the use of an approved boundary protection device (e.g., firewall) that mediates the communication between the system and the network. In addition, the approved boundary protection device (typically a managed interface/cross-domain system), provides information flow enforcement from the information system to the external network consistent with AC-04.

mapping to FIPS199 baseline:

  LOW: base     MOD: base     HIGH: base  

related (regimented) controls:

SC-07   Boundary Protection
SA-09   External Information System Services

documents referenced in SP800-53rev3 for CA-03:

Document Date Status Title
FIPS 199 February, 2004 current   Standards for Security Categorization of Federal Information and Information Systems
NIST SP800-18 February, 2006 current   Guide for Developing Security Plans for Federal Information Systems
NIST SP800-47 August, 2002 current   Security Guide for Interconnecting Information Technology Systems

Search SP800-53rev3 catalog: