Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ca-3(3)

system interconnections | unclassified non-national security system connections

assessment objective:

Determine if the organization:

ca-3(3)[1]

defines an unclassified, non-national security system whose direct connection to an external network is to be prohibited without the use of approved boundary protection device;

ca-3(3)[2]

defines a boundary protection device to be used to establish the direct connection of an organization-defined unclassified, non-national security system to an external network; and

ca-3(3)[3]

prohibits the direct connection of an organization-defined unclassified, non-national security system to an external network without the use of an organization-defined boundary protection device.

potential assessment methods and objects:

Examine: [SELECT FROM: Access control policy; procedures addressing information system connections; system and communications protection policy; information system interconnection security agreements; security plan; information system design documentation; information system configuration settings and associated documentation; security assessment report; information system audit records; other relevant documents or records].

Interview: [select from: Organizational personnel with responsibility for managing direct connections to external networks; network administrators; organizational personnel with information security responsibilities; personnel managing directly connected external networks].

Test: [select from: Automated mechanisms supporting the management of external network connections].