CA-3(5) — Restrictions on External System Connections

This enhancement requires you to restrict connections to external systems by using an allow-list or deny-list approach — only approved connections are permitted.

Example 1: Configure your perimeter firewall to use a deny-by-default policy where only explicitly approved external IP addresses and ports are allowed through.

Example 2: Maintain an approved vendor connections list in a spreadsheet or GRC tool like Archer, and require formal approval before any new external connection is established.