Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs [FedRAMP Selection: (H) deny-all, permit-by-exception] policy for allowing [FedRAMP Assignment: (H) any systems] to connect to external information systems.
CA-3 (5) Additional FedRAMP Requirements and Guidance: For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing
NIST 800-53 (r4) Supplemental Guidance:
Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable. Related control: CM-7.
NIST 800-53 (r5) Discussion:
Withdrawn: Moved to SC-7(5).
38North Guidance:
Meets Minimum Requirement:
Employ a deny-all, permit by exception policy for any external system that requires a persistent connection to the information system.
Best Practice:
Define information systems to be allowed to connect to external information systems.
Unofficial FedRAMP Guidance:
For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing.
Assessment Evidence:
Configuration settings for the automated mechanisms in place to configure each external connection as either allow-all, deny-by-exception, deny-all, or permit-by-exception as required.
CSP Implementation Tips:
None.
Page updated
Report abuse