SA-5(2) — Security-relevant External System Interfaces

Documentation must describe how the system interfaces with external systems from a security perspective — what data flows across the boundary, what protocols are used, and what security measures protect those interfaces.

Example 1: Create interface documentation for each external system connection: the remote system name, data exchanged, protocol and port, authentication method, encryption used, and the security agreement (ISA/MOU) governing the connection. Include this in your system security plan.

Example 2: In your network diagrams, label every external interface with its security properties. A connection to a cloud API should show: HTTPS/TLS 1.3, OAuth 2.0 authentication, data classification of traffic, and bandwidth/rate limiting. This makes it easy to audit and assess interface security.