SP 800-47. Security Guide for Interconnecting Information Technology Systems

The Security Guide for Interconnecting Information Technology Systems provides guidance for planning, establishing, maintaining, and terminating interconnections between information technology (IT) systems that are owned and operated by different organizations. They are consistent with the requirements specified in the Office of Management and Budget (OMB) Circular A-130, Appendix III, for system interconnection and information sharing. A system interconnection is defined as the direct connection of two or more IT systems for the purpose of sharing data and other information resources. The document describes benefits of interconnecting IT systems, defines the basic components of an interconnection, identifies methods and levels of interconnectivity, and discusses potential security risks. The document then presents a "life-cycle" approach for system interconnections, with an emphasis on security. Four phases are addressed: a) Planning the interconnection: the organizations perform preliminary activities; examine technical, security, and administrative issues; and form an agreement governing the management, operation, and use of the interconnection; b) Establishing the interconnection: the organizations develop and execute a plan for establishing the interconnection, including implementing or configuring security controls; c) Maintaining the interconnection: the organizations maintain the interconnection after it is established to ensure that it operates properly and securely; and d) Disconnecting the interconnection: one or both organizations may terminate the interconnection. The termination should be conducted in a planned manner to avoid disrupting the other party's system. In an emergency, however, one or both organizations may choose to terminate the interconnection immediately. The document provides recommended steps for completing each phase, emphasizing security measures to protect the systems and shared data. The document also contains guides and samples for developing an Interconnection Security Agreement (ISA) and a Memorandum of Understanding/Agreement (MOU/A). The ISA specifies technical and security requirements of the interconnection; the MOU/A defines the responsibilities of the organizations. Finally, the document contains a guide for developing an Implementation Plan to establish the interconnection.