800-53|CA-3(5)

Title

RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS

Description

The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems.

Supplemental

Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable.

Reference Item Details

Related: CM-7

Category: SECURITY ASSESSMENT AND AUTHORIZATION

Parent Title: SYSTEM INTERCONNECTIONS

Family: SECURITY ASSESSMENT AND AUTHORIZATION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
AIX7-00-003143 - AIX must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.UnixDISA STIG AIX 7.x v3r1
AOSX-13-000155 - The macOS system firewall must be configured with a default-deny policy.UnixDISA STIG Apple Mac OSX 10.13 v2r5
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall PolicyUnixNIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall PolicyUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall PolicyUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall PolicyUnixNIST macOS Catalina v1.5.0 - 800-171
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall PolicyUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall PolicyUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall PolicyUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall PolicyUnixNIST macOS Monterey v1.0.0 - 800-53r4 High
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall PolicyUnixNIST macOS Monterey v1.0.0 - 800-53r5 High
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall PolicyUnixNIST macOS Monterey v1.0.0 - 800-53r5 Moderate
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall PolicyUnixNIST macOS Monterey v1.0.0 - All Profiles
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall PolicyUnixNIST macOS Monterey v1.0.0 - 800-171
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall PolicyUnixNIST macOS Monterey v1.0.0 - 800-53r4 Moderate
Monterey - Control Connections to Other Systems via a Deny-All and Allow-by-Exception Firewall PolicyUnixNIST macOS Monterey v1.0.0 - CNSSI 1253
SLES-12-030030 - The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.UnixDISA SLES 12 STIG v3r1
UBTU-16-030050 - An application firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.UnixDISA STIG Ubuntu 16.04 LTS v2r3
WN16-00-000310 - A host-based firewall must be installed and enabled on the system.WindowsDISA Windows Server 2016 STIG v2r9
WN19-00-000280 - Windows Server 2019 must have a host-based firewall installed and enabled.WindowsDISA Windows Server 2019 STIG v3r2
WN22-00-000280 - Windows Server 2022 must have a host-based firewall installed and enabled.WindowsDISA Windows Server 2022 STIG v2r2