CA-3(5): Restrictions On External System Connections

Control Family:

Security Assessment And Authorization

Parent Control:

CA-3: System Interconnections

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

Baselines:

Moderate
High

Control is withdrawn in the next version of this control set and incorporated into: SC-7(5): Deny by Default – Allow by Exception.

Control Statement

The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems.

Supplemental Guidance

Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable.