639: EXTERNAL CONNECTIONS

Policy 639: External Information Systems establishes responsibilities to ensure connections to information systems external to state systems are documented and properly secured. Policy 639 replaces legacy Policy 641: External Connections. The new policy has been completely revised to fully address the security controls specified below.

Standard 639S1: External System Connections sets requirements for planning, establishing, maintaining, and terminating connections between systems that are owned and operated by different organizations. Standard 639S1 replaces legacy Standard 641S1: Interconnecting IT Systems. The requirements stated in the new standard were sourced from NIST Special Publication 800-47: Security Guide for Interconnecting Information Technology Systems.

Risks addressed in this policy and standard include:

  • Maintaining secure external connections to outside entities to enable agencies to operate effectively
  • Establishing requirements for a baseline that provides an effective practice for planning, establishing, maintaining, and terminating interconnections

These documents address the following NIST SP 800-53R4 security controls:

  • AC-20: Use of External Information Systems
  • AC-20(1): Limits on Authorized Use
  • AC-20(2): Portable Storage Devices
  • AC-20(3): Non-Organizationally Owned Systems / Components / Devices
  • CA-3: System Interconnections
  • CM-7: Least Functionality

These controls apply organization-defined time periods and other parameters that are consistent with IRS Publication 1075 and Medicare/Medicaid Services Acceptable Risk Safeguards (ARS).

View or Download:

DRAFT Policy 639: External Information Systems

DRAFT Standard 639S1: External System Connections