03.12.05: Information Exchange
Control Familly: Security Assessment and Monitoring
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-47 [83]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.12.05
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
CA-03
a. Approve and manage the exchange of CUI between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service-level agreements; user agreements; non-disclosure agreements; other types of agreements].
b. Document interface characteristics, security requirements, and responsibilities for each system as part of the exchange agreements.
c. Review and update the exchange agreements [Assignment: organization-defined frequency].
Discussion:
Information exchange applies to information exchanges between two or more systems, both internal and external to the organization. Organizations consider the risks related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security requirements or policies. The types of agreements selected are based on factors such as the relationship between the organizations exchanging information (e.g., government to government, business to business, government to business, government or business, or government or business to individual) and the level of access to the organizational system by users of the other system. The types of agreements can include information exchange security agreements, interconnection security agreements, memoranda of understanding or agreement, service-level agreements, or other types of agreements.
Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (e.g., service providers, contractors, system developers, and system integrators). The types of information contained in exchange agreements include the interface characteristics, security requirements, controls, and responsibilities for each system.
Assessment Methods and Objectives
Examine [SELECT FROM: access control policy and procedures; procedures for system connections; system and communications protection policy and procedures; system interconnection security agreements; information exchange security agreements; service-level agreements; memoranda of understanding or agreements; non-disclosure agreements; system design documentation; enterprise architecture; security architecture; system configuration settings; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with development, implementation, and approval responsibilities for system interconnection agreements; personnel who manage systems to which the exchange agreements apply; personnel with information security responsibilities]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.12.05.ODP[01]: one or more of the following PARAMETER VALUES are selected: {interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service-level agreements; user agreements; non-disclosure agreements; other types of agreements}.
A.03.12.05.ODP[02]: the frequency at which to review and update agreements is defined.
A.03.12.05.a[01]: the exchange of CUI between the system and other systems is approved using <A.03.12.05.ODP[01]: SELECTED PARAMETER VALUES>.
A.03.12.05.a[02]: the exchange of CUI between the system and other systems is managed using <A.03.12.05.ODP[01]: SELECTED PARAMETER VALUES>.
A.03.12.05.b[01]: interface characteristics for each system are documented as part of the exchange agreements.
A.03.12.05.b[02]: security requirements for each system are documented as part of the exchange agreements.
A.03.12.05.b[03]: responsibilities for each system are documented as part of the exchange agreements.
A.03.12.05.c[01]: exchange agreements are reviewed <A.03.12.05.ODP[02]: frequency>.
A.03.12.05.c[02]: exchange agreements are updated <A.03.12.05.ODP[02]: frequency>.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A