CA-9: Internal System Connections

What this control requires

CA-09 requires organizations to authorize, document, and periodically review every internal connection between system components. This means you need a formal process that tracks how devices, servers, endpoints, and other components connect to each other inside your environment.

Specifically, the control breaks into four distinct obligations. First, you must authorize each internal connection before it goes live. Second, you must document the interface characteristics, security requirements, privacy requirements, and the type of information flowing through the connection.

In practice, the termination and review obligations are where most organizations fall short. You must terminate connections when predefined conditions are met, such as a device being decommissioned or a project ending. And you must review each connection on a defined schedule to confirm it still serves a legitimate business purpose.

In practice, this applies to a wide range of intra-system connections, from printers, scanners, and mobile devices to database servers, development workstations, and IoT sensors. You can authorize classes of similar components in bulk rather than treating each device individually, but the documentation and review requirements still apply.

Why it matters

Unmanaged internal connections are one of the most overlooked sources of compliance and audit risk. When organizations fail to maintain an accurate inventory of intra-system connections, they lose visibility into how data flows between components, which systems interact with sensitive information, and whether deprecated or unauthorized devices still have network access.

In practice, this gap introduces audit risk that compounds over time. Auditors evaluating your authorization boundary will look for a complete, current list of authorized internal connections and evidence that you review them periodically. Missing documentation or stale connection records signal weak configuration management practices across the broader control environment.

Where this breaks down most critically, undocumented internal connections expand your attack surface in ways that external scans alone won’t reveal.

What attackers exploit

• Unauthorized endpoints on trusted networks. A forgotten development server or test device that still has production network access can serve as a pivot point once an attacker gains initial access.
• Undocumented interface characteristics. When security teams don’t know what protocols a connection uses or what data it transmits, they can’t apply appropriate encryption, access controls, or monitoring rules.
• Stale connections to decommissioned systems. Connections that should have been terminated but remain active create pathways that bypass boundary protections.
• Unmonitored mobile and IoT devices. Tablets, sensors, and personal devices connected without formal authorization often lack endpoint protection, patching, and logging.

How to implement

Implementing CA-09 requires balancing thoroughness with operational efficiency. Most organizations already have some of these connections in place but lack the formal authorization and documentation processes the control demands.

For your organization

Step 1: Inventory all internal connections. Start by cataloging every internal system connection, including servers, workstations, mobile devices, printers, scanners, IoT sensors, and development environments. Network discovery tools, asset management platforms, and configuration management databases (CMDBs) are the primary tooling categories for this step.

Specifically, don’t rely solely on automated discovery since many internal connections, particularly for lab or test environments, exist outside standard network segments.

Step 2: Establish an authorization process. Define who has the authority to approve new internal connections and under what conditions. This typically sits with the system owner or authorizing official. Document the approval workflow in your system security plan so it’s repeatable and auditable.

Step 3: Document each connection. For every authorized connection, record the interface characteristics (protocols, ports, connection type), security requirements (encryption, authentication, access controls), privacy requirements (whether personally identifiable information traverses the connection), and the nature of information communicated. Store this documentation alongside your system design records.

Step 4: Define termination conditions. Specify the circumstances under which each connection should be terminated. Common conditions include device decommissioning, end of a project phase, personnel reassignment, or detection of a security incident involving the connected component.

Step 5: Schedule periodic reviews. Set a review frequency appropriate to your risk environment. Quarterly reviews are common for moderate-baseline systems. During each review, verify that every listed connection still serves a legitimate mission or business function and that its documentation remains accurate.

Common mistakes to avoid

• Treating the connection inventory as a one-time exercise rather than a living document
• Failing to include development and test environments in the scope of internal connections
• Documenting connections at the network segment level instead of the component level
• Not defining clear termination triggers, which leads to connections that persist indefinitely

Step 6: Integrate with continuous monitoring. Align your CA-09 review cycle with your broader continuous monitoring strategy so that changes in your internal connection landscape are detected between scheduled reviews.

For your vendors

When you rely on third-party service providers, you need assurance that they manage their own internal system connections with the same rigor.

In practice, that means asking pointed questions about their authorization and review processes during vendor assessments.

Questionnaire questions to include

• Do you maintain a current inventory of all authorized internal system connections?
• What is your process for authorizing new internal connections before they become active?
• How do you document interface characteristics, security requirements, and privacy requirements for each internal connection?
• What conditions trigger termination of an internal system connection?
• How often do you review existing internal connections for continued need?
• Can you provide evidence of your most recent connection review?

Evidence to request

• A redacted or representative list of authorized internal system components and connection types
• The vendor’s procedures addressing system connections and authorization workflows
• Evidence of periodic connection reviews (such as a review log or assessment report excerpts)
• System design documentation showing how internal connections are segmented and monitored

Red flags

• The vendor cannot articulate their connection authorization process or provides only informal descriptions
• No documented review cycle exists for evaluating whether internal connections are still needed
• The vendor conflates internal and external connection management, suggesting they haven’t scoped CA-09 specifically
• Evidence provided is outdated or references a framework revision that predates current requirements

Verification approach. When reviewing vendor evidence, look for consistency between their stated authorization process and the artifacts they produce. A vendor claiming quarterly reviews should have timestamped review records within the last 90 days. Cross-reference their connection inventory against their system architecture diagrams to identify undocumented connections. Vendors managing third-party security programs with mature asset management practices tend to have stronger CA-09 implementations.

Evidence examples

Cross-framework mapping

No cross-framework mappings are currently configured for this control.

How UpGuard helps

UpGuard gives security teams the visibility and automation needed to manage internal and external connection risks at scale.

• Breach Risk continuously monitors your external attack surface, helping you identify exposed internal components and undocumented connections that could be exploited by attackers.
• Vendor Risk streamlines the assessment of third-party CA-09 compliance by automating security questionnaires and tracking vendor evidence of internal connection management practices.
• User Risk discovers unauthorized devices and shadow IT activity that may introduce unmanaged internal connections to your environment.

UpGuard is ranked #1 on G2 for Third-Party and Supplier Risk Management for 15 consecutive quarters, trusted by over 50,000 organizations in more than 90 countries.

Related controls

• AC-03 (Access Enforcement) — Ensures that only authorized users and processes can use internal connections once they are established, enforcing the principle of least privilege across connected components.
• AC-04 (Information Flow Enforcement) — Governs how information moves between connected system components, ensuring data flows align with the security and privacy requirements documented under CA-09.
• AC-18 (Wireless Access) — Addresses wireless connections specifically, which are a subset of the internal connections CA-09 requires you to authorize and document.
• AC-19 (Access Control for Mobile Devices) — Covers mobile device connections to organizational systems, directly overlapping with CA-09’s requirement to authorize and document mobile endpoint connections.
• CM-02 (Baseline Configuration) — Establishes the approved configuration for system components, which informs the interface characteristics and security requirements documented for each internal connection.
• IA-03 (Device Identification and Authentication) — Requires that devices authenticate before connecting to organizational systems, providing a technical enforcement mechanism for the authorization CA-09 mandates.
• SC-07 (Boundary Protection) — Defines and enforces boundaries between network segments, complementing CA-09 by controlling where internal connections can traverse trust boundaries.
• SI-12 (Information Management and Retention) — Governs how long connection documentation and review records must be retained, supporting the ongoing documentation and review obligations under CA-09.

Frequently asked questions

What is NIST SP 800-53 CA-09?

CA-09 is a security control that requires organizations to authorize, document, and periodically review all internal connections between system components within an information system. The control applies to intra-system connections such as servers, workstations, mobile devices, printers, and sensors. Each authorized connection must have documented interface characteristics, security requirements, and privacy requirements. CA-09 is included in LOW, MODERATE, and HIGH baselines under the NIST SP 800-53 framework. It belongs to the Assessment, Authorization, and Monitoring family.

What happens if CA-09 is not implemented?

Organizations that fail to implement CA-09 risk audit findings for inadequate authorization and documentation of internal system connections. Without a formal connection inventory, security teams cannot verify whether every component on the network has been authorized or whether deprecated connections have been properly terminated. This gap weakens the overall authorization boundary and can trigger cascading findings across related controls like access enforcement and boundary protection. Regulators and auditors treat missing connection documentation as evidence of broader configuration management deficiencies.

How do you audit CA-09?

Auditing CA-09 starts with examining the list of components or classes of components authorized as internal system connections and comparing it against actual network topology. Auditors review system design documentation for completeness of interface characteristics, security requirements, and privacy requirements. They verify that termination conditions are defined and that evidence of periodic reviews exists, typically through assessment reports and system audit records. Interviews with system owners confirm that the authorization process is actively followed rather than documented but ignored.

What are examples of internal system connections?

Internal system connections include any link between organizational system components operating within the same authorization boundary. Common examples include workstations connected to file servers, mobile devices accessing internal applications, printers and scanners on corporate networks, IoT sensors transmitting data to collection servers, and development environments connected to staging databases. Organizations can authorize these connections individually or by class when components share common characteristics and security configurations.