NIST 800-53 r5 · Controls catalogue · Family CA
CA-3Information Exchange
Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }}; Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and Review and update the agreements {{ insert: param, ca-03_odp.03 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (7)
- T1020.001 Traffic Duplication Exfiltration
- T1041 Exfiltration Over C2 Channel Exfiltration
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1567 Exfiltration Over Web Service Exfiltration
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Requiring formal approval, documented controls, and responsibilities for inter-system exchanges directly enforces proper access control between systems. |
CWE-287 | Improper Authentication | 4,730 | Mandating documentation of security requirements for exchanges includes specifying and enforcing authentication mechanisms between systems. |
CWE-285 | Improper Authorization | 1,230 | Documenting authorization requirements and responsibilities for each exchange ensures authorization decisions are explicitly defined and managed. |
CWE-319 | Cleartext Transmission of Sensitive Information | 1,042 | By requiring documented security controls for information exchanges, the control reduces the risk of cleartext transmission of sensitive data. |
CWE-311 | Missing Encryption of Sensitive Data | 552 | Exchange agreements must document security requirements, which would include encryption to protect sensitive data in transit. |
CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints | 57 | Approving specific exchanges and documenting interface characteristics restricts communication channels to only intended endpoints and systems. |
CWE-501 | Trust Boundary Violation | 24 | Defining interfaces, controls, and trust responsibilities in agreements helps prevent violations of trust boundaries during data exchanges. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||