← Controls / CA

CA-03 Information System Connections

Security Assessment and Authorization

Low Moderate High

Description

The organization authorizes all connections from the information system to other information systems outside of the accreditation boundary through the use of system connection agreements and monitors/controls the system connections on an ongoing basis.

Supplemental Guidance

Since FIPS 199 security categorizations apply to individual information systems, the organization carefully considers the risks that may be introduced when systems are connected to other information systems with different security requirements and security controls, both within the organization and external to the organization. Risk considerations also include information systems sharing the same networks. NIST Special Publication 800-47 provides guidance on connecting information systems. Related security controls: SC-07, SA-09.

Changes from Rev 4

Title changed from 'System Interconnections' Parameter includes a selection of multiple types of agreements Control text adds privacy requirements Discussion expanded to cover responsibilities for each system

Enhancements

(0) None.

MITRE ATT&CK Techniques (7)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 1 Persistence 1 Privilege Escalation 1 Defense Evasion 1 Exfiltration 6

Initial Access

T1078

Privilege Escalation

T1078

Defense Evasion

T1078

Compliance Mappings

ISO 27001:2022

A.5.14

COBIT 2019

APO09

NIST CSF 2.0

ID.AM-03

ISO 42001:2023

A.10.2

PRA Operational Resilience

SS2/21-9.1

ANSSI

Hygiene.26Hygiene.9SecNumCloud.14.1

FINMA Circular 2023/1

IV.C(62)IV.F(100)V(101)

OSFI B-13

B-13.2.2B-13.3.2

EU GDPR

Art.28(3)(a)Art.32(1)(a)

EU DORA

Art.9(4)(a)

RBI CSF

Annex1.4Annex1.11

FISC Security Guidelines

FISC.O6FISC.T13FISC.T3FISC.T9

LGPD + BCB 4893

BCB.Art.11

EU CRA

CRA.I.2iCRA.Info.8f

SWIFT CSCF

SWIFT.1.1SWIFT.1.5SWIFT.2.8

NCA ECC

2-54-14-2

UAE IA

T8

Qatar NIA

CS

CBUAE

CR-14

CBE CSF

CTO-11GOV-3

BoG CISD

CISD-COMPCISD-XICISD-XIII

BoM CTRM

3.9

IOSCO Cyber Resilience

GOV-5ID-2PFMI-20PROT-2

BCBS 239

Principle 14

CPMI-IOSCO PFMI

PFMI.P22

FFIEC IS

II.C.20II.C.6II.C.9

NYDFS 500

500.11

HIPAA Security Rule

§164.308(b)(1)§164.308(b)(3)§164.314(a)(1)§164.314(a)(2)

ECB CROE

CROE.2.2.3CROE.2.3.5

SEBI CSCRF

PR.CS

BOT Cyber Resilience

Ch5.2

CMMC 2.0

CA

Common Criteria

CC Part 2 — FRU/FTA/FTP

ISAE 3402

Clause 7Clause 8

Solvency II

EIOPA-ICT-4.6

Lloyd's Minimum Standards

MS13.1MS8.9

NAIC Insurance Data Security

4D

HITRUST CSF v11

05.b

ISO 27799

13.113.2H.2

NHS DSPT

NDG-10.2NDG-10.3

MiCA

Art.66(1)Art.66(3)

Basel SCO60

SCO60.54SCO60.84

ISO 17799 (legacy)

10.6.210.9.111.4.511.4.611.4.7

COBIT 4.1 (legacy)

None.