BRACKETOLOGY | FEDRAMP

CA-9: INTERNAL SYSTEM CONNECTIONS

FedRAMP Baseline Membership CA-9:
LOW
MODERATE
HIGH

How Do I Use This Page for FedRAMP Cloud Security

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and/li>
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

FedRAMP Cloud Security

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

There are no FedRAMP-specific requirements if this control is used for a HIGH Impact system.

SUPPLEMENTAL GUIDANCE

This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.

CONTROL ENHANCEMENTS

CA-9 (1) INTERNAL SYSTEM CONNECTIONS | SECURITY COMPLIANCE CHECKS

The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection.

Supplemental Guidance:

Security compliance checks may include, for example, verification of the relevant baseline configuration.

RELATED CONTROLS: CA-9 (1)

CM-6 — CONFIGURATION MANAGEMENT | CONFIGURATION SETTINGS

REFERENCES:

NO REFERENCES