1. Home
  2. NIST SP 800-53R4
  3. CA-9

CA-9: INTERNAL SYSTEM CONNECTIONS

TAILORED FOR INDUSTRIAL CONTROL SYSTEMS

  • ICS Control Baselines:
  • Low
  • Moderate
  • High

The organization:

    • a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and/li>
    • b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

SUPPLEMENTAL GUIDANCE

This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.

ICS SUPPLEMENTAL GUIDANCE

Organizations perform risk-benefit analysis to support determination whether an ICS should be connected to other internal information system(s) and (separate) constituent system components. The Authorizing Official fully understands the organizational information security policies and procedures; the ICS security policies and procedures; the risks to organizational operations and assets, individuals, other organizations, and the Nation associated with the connected to other information system(s) and (separate) constituent system components, whether by authorizing each individual internal connection or authorizing internal connections for a class of components with common characteristics and/or configurations; and the specific health, safety, and environmental risks associated with a particular interconnection. The AO documents risk acceptance in the ICS system security plan.

CONTROL ENHANCEMENTS

CA-9 (1) INTERNAL SYSTEM CONNECTIONS | SECURITY COMPLIANCE CHECKS

NOT SELECTED FOR THE NIST ISC CONTROL SET

The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection.

Supplemental Guidance:

Security compliance checks may include, for example, verification of the relevant baseline configuration.

RELATED CONTROLS: CA-9 (1)

REFERENCES:

  • NO REFERENCES