>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CA-9Internal System Connections

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Authorize internal connections of organization-defined system components or classes of components to the system;

b

Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;

c

Terminate internal system connections after organization-defined conditions; and

d

Review organization-defined frequency the continued need for each internal connection.

>DoD Impact Level Requirements

FedRAMP Parameter Values

CA-9 (d) [at least annually]

>Discussion

Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration.

The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.

>Programmatic Queries

Beta

Related Services

VPC Peering
Transit Gateway
PrivateLink

CLI Commands

List VPC peering connections
aws ec2 describe-vpc-peering-connections --query 'VpcPeeringConnections[*].{Id:VpcPeeringConnectionId,Status:Status.Code,Requester:RequesterVpcInfo.VpcId,Accepter:AccepterVpcInfo.VpcId}'
Check Transit Gateway attachments
aws ec2 describe-transit-gateway-attachments
List VPC endpoints
aws ec2 describe-vpc-endpoints --query 'VpcEndpoints[*].{Id:VpcEndpointId,Service:ServiceName,Type:VpcEndpointType}'
Check PrivateLink services
aws ec2 describe-vpc-endpoint-services --query 'ServiceDetails[*].{Name:ServiceName,Type:ServiceType}'
Open AWS ConsoleDocumentation

>Related Controls

AC-3
AC-4
AC-18
AC-19
CM-2
IA-3
SC-7
SI-12

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CA-9 (Internal System Connections)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CA-9?
  • How frequently is the CA-9 policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CA-9?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CA-9 requirements.
  • What automated tools, systems, or technologies are deployed to implement CA-9?
  • How is CA-9 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CA-9 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CA-9?
  • What audit logs, records, reports, or monitoring data validate CA-9 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CA-9 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CA-9 compliance?

Ask AI

Configure your API key to use AI features.