NIST 800-53 REV 5 • ASSESSMENT, AUTHORIZATION, AND MONITORING
CA-3(7) — Transitive Information Exchanges
Identify transitive (downstream) information exchanges with other systems through the systems identified in [CA-3a](#ca-3_smt.a) ; and Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Transitive or "downstream" information exchanges are information exchanges between the system or systems with which the organizational system exchanges information and other systems. For mission-essential systems, services, and applications, including high value assets, it is necessary to identify such information exchanges. The transparency of the controls or protection measures in place in such downstream systems connected directly or indirectly to organizational systems is essential to understanding the security and privacy risks resulting from those information exchanges. Organizational systems can inherit risk from downstream systems through transitive connections and information exchanges, which can make the organizational systems more susceptible to threats, hazards, and adverse impacts.
Practitioner Notes
This enhancement addresses transitive information exchanges — when System A connects to System B, which connects to System C, your data may end up on System C without your direct approval.
Example 1: Include clauses in your Interconnection Security Agreements that prohibit the receiving system from forwarding your data to third-party systems without written consent.
Example 2: In your cloud environment, review service provider subprocessor lists (e.g., Microsoft's subprocessor page) to understand where your data might transit beyond your primary provider.