Restrictions on external system connections (CA-3 (5))

From SecWiki
Jump to: navigation, search
Restrictions on external system connections
Identifier CA-3 (5)
Baselines Mod, High
Control CA-3 System interconnections (CA-3)


Description

The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems.

Supplemental guidance

Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable.

Related controls

Identifier Name Priority Baseline
CM-7 Least functionality P1 Low, Mod, High