Restrictions on external system connections (CA-3 (5))
From SecWiki
| Restrictions on external system connections | |
|---|---|
| Identifier | CA-3 (5) |
| Baselines | Mod, High |
| Control | CA-3 System interconnections (CA-3) |
Description
The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems.
Supplemental guidance
Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable.
Related controls
| Identifier | Name | Priority | Baseline |
|---|---|---|---|
| CM-7 | Least functionality | P1 | Low, Mod, High |
