Navigate

CA-9

CA-9: Internal System Connections

The organization:

a: Authorizes internal connections of [one of ] to the information system; and

b: Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

Supplemental

This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
Privacy (High), Privacy (Mod), Privacy (PHI)

CSF Categories
ID.AM-3

Related Controls

The controls below (if any) were marked by NIST as being related to CA-9.

Control	Description
AC-3	The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-4	The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [one of ].
AC-18	The organization: a: Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and b: Authorizes wireless access to the information system prior to allowing such connections.
AC-19	The organization: a: Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and b: Authorizes the connection of mobile devices to organizational information systems.
AU-2	The organization: a: Determines that the information system is capable of auditing the following events: [one of ]; b: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and d: Determines that the following events are to be audited within the information system: [one of ].
AU-12	The information system: a: Provides audit record generation capability for the auditable events defined in AU-2 a. at [one of ]; b: Allows [one of ] to select which auditable events are to be audited by specific components of the information system; and c: Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
CA-7	The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a: Establishment of [one of ] to be monitored; b: Establishment of [one of ] for monitoring and [one of ] for assessments supporting such monitoring; c: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; d: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; e: Correlation and analysis of security-related information generated by assessments and monitoring; f: Response actions to address results of the analysis of security-related information; and g: Reporting the security status of organization and the information system to [one of ] [one of ].
CM-2	The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
IA-3	The information system uniquely identifies and authenticates [one of ] before establishing a [one or more of "local"/"remote"/"network"] connection.
SC-7	The information system: a: Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b: Implements subnetworks for publicly accessible system components that are [one of "physically"/"logically"] separated from internal organizational networks; and c: Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
SI-4	The organization: a: Monitors the information system to detect: 1: Attacks and indicators of potential attacks in accordance with [one of ]; and 2: Unauthorized local, network, and remote connections; b: Identifies unauthorized use of the information system through [one of ]; c: Deploys monitoring devices: 1: Strategically within the information system to collect organization-determined essential information; and 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization; d: Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g: Provides [one of ] to [one of ] [one or more of "as needed"/" {{ insert: param, si-4_prm_6 }} "].

Enhancements

The controls below (if any) add on to the requirements of CA-9.

Control	Description
CA-9(1)	The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection.

Related CCIs

The CCIs below are tied to CA-9.

CCI	Definition
CCI-002101	Authorizes internal connections of organization-defined system components or classes of components to the system.
CCI-002102	Defines the system components or classes of components that are authorized internal connections to the system.
CCI-002103	Document, for each internal connection, the interface characteristics.
CCI-002104	Document, for each internal connection, the security requirements.
CCI-002105	Document, for each internal connection, the nature of the information communicated.