Policy 639: External Information Systems establishes responsibilities to ensure connections to information systems external to state systems are documented and properly secured. Policy 639 replaces legacy Policy 641: External Connections. The new policy has been completely revised to fully address the security controls specified below.
Standard 639S1: External System Connections sets requirements for planning, establishing, maintaining, and terminating connections between systems that are owned and operated by different organizations. Standard 639S1 replaces legacy Standard 641S1: Interconnecting IT Systems. The requirements stated in the new standard were sourced from NIST Special Publication 800-47: Security Guide for Interconnecting Information Technology Systems.
Risks addressed in this policy and standard include:
- Maintaining secure external connections to outside entities to enable agencies to operate effectively
- Establishing requirements for a baseline that provides an effective practice for planning, establishing, maintaining, and terminating interconnections
These documents address the following NIST SP 800-53R4 security controls:
- AC-20: Use of External Information Systems
- AC-20(1): Limits on Authorized Use
- AC-20(2): Portable Storage Devices
- AC-20(3): Non-Organizationally Owned Systems / Components / Devices
- CA-3: System Interconnections
- CM-7: Least Functionality
These controls apply organization-defined time periods and other parameters that are consistent with IRS Publication 1075 and Medicare/Medicaid Services Acceptable Risk Safeguards (ARS).
View or Download: