Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [FedRAMP Assignment: (L)(M)(H) at least annually and on input from FedRAMP].
NIST 800-53 (r4) Supplemental Guidance:
This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.
Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4.
References: FIPS Publication 199; NIST Special Publication 800-47.
NIST 800-53 (r5) Discussion:
System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in CA-6(1) or CA-6(2), may help to communicate and reduce risk.
Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks.
38North Guidance:
Meets Minimum Requirement:
List all approved connections to the information system.
Develop and document dedicated interconnection agreement that describe the interface characteristics, security requirements, and the nature of the data and information communicated between the two parties. Include a list of roles and responsibilities between the two parties so that the shared agreement is understood for who is responsible for any given action/process/security control.
Review and update the Interconnection Agreement annually.
Best Practice:
Any third-party, cloud-based service that is connected to the system should have an ISA.
Unofficial FedRAMP Guidance:
FedRAMP requires an agreement that describes what type of connection it is, any security requirements, the type of data being transmitted across the connection, responsibilities amongst the two parties/organizations, etc.
For an Agency ATO, all third-parties receiving government information and/or security data.
Assessment Evidence:
List of interconnections to external service providers outside of the boundary [i.e., Pager Duty, ServiceNow, etc. This does not include connections to other internal teams or organizations within the boundary].
Copy of completed interconnection security agreement (ISA) for each interconnection, with organization being an approving authority along with the interconnected organization [ISAs are required for direct connections, or as required by a client. It is not required for HTTPS or Firewall to Firewall connections]
Provide Annual review of all ISA (e.g., email communication or new signature page).
CSP Implementation Tips:
None.
Page updated
Report abuse