The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device].
Not appropriate for DoD to define for all CSP's infrastructure or service offerings
Not appropriate for DoD to define for all CSP's infrastructure or service offerings
Source:
DoD RMF TAG
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified non-national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI).
CA-3 (3) Guidance: Refer to Appendix H – Cloud Considerations of the TIC 2.0 Reference Architecture document.