CA-3: Information Exchange

From NIST's SP800-53:

a. Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]]; b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and c. Review and update the agreements [Assignment: organization-defined frequency].

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

SP800-53 Control Mapped to NIST Cyber Security Framework

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Control ID	Description
DE.AE-1	A baseline of network operations and expected data flows for users and systems is established and managed
ID.AM-3	Organizational communication and data flows are mapped

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against.

ATT&CK ID	Title	Associated Tactics
T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	Exfiltration
T1020.001	Traffic Duplication	Exfiltration
T1567	Exfiltration Over Web Service	Exfiltration
T1048	Exfiltration Over Alternative Protocol	Exfiltration
T1041	Exfiltration Over C2 Channel	Exfiltration
T1048.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Exfiltration