FedRAMP - Unclassified Non-National Security System Connections CA-3(3)

Overview:
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device].

Supplemental Guidance:
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified non-national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI).

Action Items:
1) Implement boundary protection devices between the organization and an external network

Related Documents:
1) Security Assessment and Authorization Policy

2) System Security Plan

3) Network Security Policy

Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
CA-3 (3)-2 [Boundary Protections which meet the Trusted Internet Connection (TIC) requirements]

Moderate Additional FedRAMP Requirements and Guidance
CA-3 (3) Guidance: Refer to Appendix H – Cloud Considerations of the TIC 2.0 Reference Architecture document.