800-53|CA-3

Title

SYSTEM INTERCONNECTIONS

Description

The organization:

Supplemental

This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-20,AC-3,AC-4,AU-12,AU-16,AU-2,CA-7,IA-3,SA-9,SC-7,SI-4

Category: SECURITY ASSESSMENT AND AUTHORIZATION

Family: SECURITY ASSESSMENT AND AUTHORIZATION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
3.1.1.3 Configure EIGRP log-adjacency-changes	Cisco	CIS Cisco NX-OS L2 v1.0.0
3.1.1.3 Configure EIGRP log-adjacency-changes	Cisco	CIS Cisco NX-OS L1 v1.0.0
3.1.4.1 If VLAN interfaces have IP addreses, configure anti spoofing / ingress filtering protections	Cisco	CIS Cisco NX-OS L2 v1.0.0
3.1.4.1 If VLAN interfaces have IP addreses, configure anti spoofing / ingress filtering protections	Cisco	CIS Cisco NX-OS L1 v1.0.0
3.4 Ensure Hit count is Enable for the rules	CheckPoint	CIS Check Point Firewall L2 v1.1.0
3.4 Ensure interface description is set	Juniper	CIS Juniper OS Benchmark v2.1.0 L1
3.8 Logging should be enable for all Firewall Rules	CheckPoint	CIS Check Point Firewall L2 v1.1.0
3.10 Ensure Drop Out of State TCP Packets is enabled	CheckPoint	CIS Check Point Firewall L2 v1.1.0
3.11 Ensure Drop Out of State ICMP Packets is enabled	CheckPoint	CIS Check Point Firewall L2 v1.1.0
9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
9.1.2 (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
9.1.3 (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.1.3 Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.2.1 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.2.2 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
9.2.3 (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.2.3 Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
9.2.4 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.3.1 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.3.2 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.3.3 Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
AIX7-00-003143 - AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.	Unix	DISA STIG AIX 7.x v2r9
AOSX-13-000155 - The macOS system firewall must be configured with a default-deny policy.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Catalina v1.5.0 - All Profiles
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Catalina v1.5.0 - 800-171
CIS Control 12 (12.1) Maintain an Inventory of Network Boundaries	Unix	CAS Implementation Group 1 Audit File
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Monterey v1.0.0 - 800-53r5 Moderate
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Monterey v1.0.0 - 800-53r4 Moderate
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Monterey v1.0.0 - 800-53r5 High

Detections

Analytics