NIST 800-53 REV 5 • ASSESSMENT, AUTHORIZATION, AND MONITORING

CA-9 — Internal System Connections

Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system; Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection.

CMMC Practice Mapping

CA.L2-3.12.4

NIST 800-171 Mapping

3.12.4

Related Controls

Supplemental Guidance

Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.

Practitioner Notes

Internal system connections are links between components within your authorization boundary — such as connecting a new server to your internal network. These still need to be authorized and documented.

Example 1: Maintain a list of all internal connections in your system security plan, including connections between your Active Directory domain controllers and member servers.

Example 2: Before connecting a new IoT device or printer to your internal network, require IT security approval and document the device, its purpose, and its network segment.