Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.
NIST 800-53 (r4) Supplemental Guidance:
This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4.
NIST 800-53 (r5) Discussion:
Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.
38North Guidance:
Meets Minimum Requirement:
Internal system connections shall be authorized and the connection shall be documented with the System Security Plan (SSP) (PL-2). See CA-3 for the required information that must be documented for each system connection (e.g., purpose of the connection, data/information being transferred/processed/maintained, etc.).
Best Practice:
None.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
Evidence of internal connections including:
Authorization of connection
What components are being connected to/from
Interface characteristics
Security requirements
Nature of information being communicated
CSP Implementation Tips:
None.
Page updated
Report abuse