ID.AM-3: Organizational communication and data flows are mapped

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].

Approve and manage the exchange of information between the system and other systems using [Assignment (one or more): interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, service level agreements, user agreements, nondisclosure agreements, [Assignment: organization-defined type of agreement] ]; Document, as part of each exchange agreement, the interface characteristics, security and…

Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system; Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; Terminate internal system connections after [Assignment: organization-defined conditions]; and Review [Assignment: organization-defined frequency] the continued need for each internal connection.

Develop security and privacy architectures for the system that: Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; Describe how the architectures are integrated into and support…

Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that: Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture; Accurately and completely describes the required security and privacy functionality, and the allocation of controls…

Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export- controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to…

Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or…