FedRAMP - Restrictions on External System Connections CA-3(5)

Overview:
The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems.

Supplemental Guidance:
Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable.

Related control:CM-7.

Action Items:
1) Implement blacklisting or whitelisting policies for traffic between the organization and external systems

Related Documents:
1) Security Assessment and Authorization Policy

2) System Security Plan

3) Network Security Policy

Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
none

Moderate Additional FedRAMP Requirements and Guidance
CA-3 (5) Guidance: For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing