800-53|CA-3(5)

Title

RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS

Description

The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems.

Supplemental

Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: CM-7

Category: SECURITY ASSESSMENT AND AUTHORIZATION

Parent Title: SYSTEM INTERCONNECTIONS

Family: SECURITY ASSESSMENT AND AUTHORIZATION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
AIX7-00-003143 - AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.	Unix	DISA STIG AIX 7.x v2r3
AIX7-00-003143 - AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.	Unix	DISA STIG AIX 7.x v2r1
AIX7-00-003143 - AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.	Unix	DISA STIG AIX 7.x v2r9
AOSX-13-000155 - The macOS system firewall must be configured with a default-deny policy.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Catalina v1.5.0 - All Profiles
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Catalina v1.5.0 - 800-171
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Monterey v1.0.0 - 800-53r4 High
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Monterey v1.0.0 - 800-53r5 High
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Monterey v1.0.0 - 800-53r5 Moderate
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Monterey v1.0.0 - All Profiles
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Monterey v1.0.0 - 800-171
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Monterey v1.0.0 - 800-53r4 Moderate
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall Policy	Unix	NIST macOS Monterey v1.0.0 - CNSSI 1253
SLES-12-030030 - The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments - active	Unix	DISA SLES 12 STIG v2r2
SLES-12-030030 - The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments - active	Unix	DISA SLES 12 STIG v2r1
SLES-12-030030 - The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.	Unix	DISA SLES 12 STIG v2r13
SLES-15-010220 - The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments - active	Unix	DISA SLES 15 STIG v1r3
SLES-15-010220 - The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments - active	Unix	DISA SLES 15 STIG v1r1
SLES-15-010220 - The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments - rules	Unix	DISA SLES 15 STIG v1r3
SLES-15-010220 - The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments - rules	Unix	DISA SLES 15 STIG v1r1
UBTU-16-030050 - An application firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.	Unix	DISA STIG Ubuntu 16.04 LTS v2r3
UBTU-16-030050 - An application firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.	Unix	DISA STIG Ubuntu 16.04 LTS v2r1
UBTU-16-030060 - The Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.	Unix	DISA STIG Ubuntu 16.04 LTS v2r1
WN16-00-000310 - A host-based firewall must be installed and enabled on the system.	Windows	DISA Windows Server 2016 STIG v2r8
WN19-00-000280 - Windows Server 2019 must have a host-based firewall installed and enabled.	Windows	DISA Windows Server 2019 STIG v2r9
WN22-00-000280 - Windows Server 2022 must have a host-based firewall installed and enabled.	Windows	DISA Windows Server 2022 STIG v1r5

Detections

Analytics