Control: The organisation:
C. Reviews and updates Interconnection Security Agreements `{`Assignment: organisation-defined frequency`}`.
Supplemental Guidance: This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organisations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organisations and external to organisations. Authorising officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorising official, organisations do not need to develop Interconnection Security Agreements. Instead, organisations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorising officials within the same organisation, organisations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organisations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organisations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialised connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.
Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4.
System Interconnections Control Enhancements:
CA-3 (1) System Interconnections - Unclassified national security system connections
The organisation prohibits the direct connection of an [Assignment: organisation-defined unclassified, national security system] to an external network without the use of [Assignment: organisation-defined boundary protection device].
Supplemental Guidance: Organisations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified national security systems and external networks. This control enhancement is required for organisations processing, storing, or transmitting Controlled Unclassified Information (CUI).
CA-3 (2) System Interconnections - Classified national security systems connections
The organisation prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment: organisation-defined boundary protection device].
Supplemental Guidance: Organisations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between classified national security systems and external networks. In addition, approved boundary protection devices (typically managed interface/cross-domain systems) provide information flow enforcement from information systems to external networks.
CA-3 (3) System Interconnections - Unclassified non-national security system connections
The organisation prohibits the direct connection of an [Assignment: organisation-defined unclassified, non-national security system] to an external network without the use of [Assignment; organisation-defined boundary protection device].
Supplemental Guidance: Organisations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified non-national security systems and external networks. This control enhancement is required for organisations processing, storing, or transmitting Controlled Unclassified Information (CUI).
CA-3 (4) System Interconnections - Connections to public networks
The organisation prohibits the direct connection of an [Assignment: organisation-defined information system] to a public network.
Supplemental Guidance: A public network is any network accessible to the general public including, for example, the Internet and organisational extranets with public access.
CA-3 (5) System Interconnections - Restrictions on external system connections
The organisation employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organisation-defined information systems] to connect to external information systems.
Supplemental Guidance: Organisations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organisations determine what exceptions, if any, are acceptable.
Related control: CM-7.