NIST 800-53 REV 5 • ASSESSMENT, AUTHORIZATION, AND MONITORING

CA-3(6)Transfer Authorizations

Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

To prevent unauthorized individuals and systems from making information transfers to protected systems, the protected system verifies—via independent means— whether the individual or system attempting to transfer information is authorized to do so. Verification of the authorization to transfer information also applies to control plane traffic (e.g., routing and DNS) and services (e.g., authenticated SMTP relays).

Practitioner Notes

This enhancement requires formal authorization before any data can be transferred between connected systems. It is not enough to just approve the connection — you also need to approve what flows through it.

Example 1: Implement data loss prevention (DLP) policies in Microsoft 365 that block sensitive data types (like CUI or PII) from being transferred to unapproved external systems.

Example 2: Require a signed data transfer agreement before allowing automated file transfers via SFTP between your system and a subcontractor's system.

More Assessment, Authorization, and Monitoring Controls

CA-1 Policy and Procedures CA-2 Control Assessments CA-2(1) Independent Assessors CA-2(2) Specialized Assessments