STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

CA-3

Assessment, Authorization, and MonitoringRev 5organization

Information Exchange

Baselines:LowModerateHigh

Control Statement

a. Approve and manage the exchange of information between the system and other systems using [Selection: organization-defined value]; b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and c. Review and update the agreements [Assignment: frequency].

Supplemental Guidance

System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk. Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks.

Related Controls (12)

AC-4AC-20AU-16CA-6IA-3IR-4PL-2PT-7RA-3SA-9SC-7SI-12

CCI Identifiers (10)

CCI-000257The organization authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements.CCI-000259Document, as part of each exchange agreement, the security requirements, controls and responsibilities for each system, and the impact level of the information communicated.CCI-000260The organization documents, for each interconnection, the nature of the information communicated.CCI-000261The organization monitors the information system connections on an ongoing basis to verify enforcement of security requirements.CCI-002083Review and update the agreements on an organization-defined frequency.CCI-002084Defines the frequency at which reviews and updates to the agreements must be conducted.CCI-001580The organization identifies connections to external information systems (i.e., information systems outside of the authorization boundary).CCI-003863Document, as part of each exchange agreement, the privacy requirements, controls and responsibilities for each system, and the impact level of the information communicated.

Linked STIG Checks (0)

No STIG checks reference this control.

CCI-000258Document, as part of each exchange agreement, the interface characteristics.
CCI-003862Approve and manage the exchange of information between the system and other systems using interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreement; and/or nondisclosure agreements with an organization-defined type of agreement.