Navigate

CA-3(5)

CA-3(5): Restrictions On External System Connections

The organization employs [one of "allow-all, deny-by-exception"/"deny-all, permit-by-exception"] policy for allowing [one of ] to connect to external information systems.

Supplemental

Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to CA-3(5).

Control	Description
CM-7	The organization: a: Configures the information system to provide only essential capabilities; and b: Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [one of ].

Enhancements

The controls below (if any) add on to the requirements of CA-3(5).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CA-3(5).

CCI	Definition
CCI-002080	The organization employs either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems.
CCI-002081	The organization defines the information systems that employ either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing connections to external information systems.
CCI-002082	The organization selects either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems.