NIST Special Publication 800-47 Security Guide f or Interconnecting Inf ormation Technolog y Systems Recommendations of the National Institute of Standards and Technology Tim Grance Joan Hash Steven Peck Jonathan Smith Karen Korow-Diks Security Guide for Interconnecting Information Technology Systems Recommendations of the National Institute of Standards and Technology NIST Spe cial Pu blicatio n 800-47 C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Inst itute of Stan dards and T echnology Gaithersburg, MD 2089 9-8930 August 2002 U.S. Departme nt of Commerc e Donald L. Eva ns, Secreta ry Technolog y Administratio n Phillip J. Bond, Under Secretary for Tech nology Natio nal Institu te of Standards and T echnol ogy Arden L. Bement, Jr., Director Acknowledgements The authors, Joan Hash an d Tim Grance of the National Institute of Standards and Technology (NIST), and Steven Peck, Jonathan Sm ith, and Karen Korow-Di ks of Booz Allen Ham ilton, wish to t hank their colleagues who reviewed drafts of this docum ent an d contributed to its technical content. We also gratefully acknowledge and appreciate the many comme nts we received from readers of the public and private sector s, whose valuable insights im proved the quality and usefulness of th is docum ent. Finally , we wish to express thanks to the U.S. Custo ms Serv ice for use of the Interconnection Securit y Agreem ent (ISA) guidan ce docu ment and sam ple ISA, which are included in this docum ent. Any mention of commercia l products or reference to commercial organizati ons is for informati on only; it does not impl y recommendation or endorsement by NIST nor does it imply that t he products mentioned are neces sarily the best available for the purpose. i SECURIT Y GUIDE FOR INTERC ONNECTING IT S YSTEMS Table of Contents EXECUTIVE SUMMARY ........................................................................................................ ES-1 1. INTRODUCTION ................................................................................................................ 1-1 1.1 Authority ................................................................................................................... 1-1 1.2 Purpose .................................................................................................................... 1-1 1.3 Scope ....................................................................................................................... 1-1 1.4 Audience .................................................................................................................. 1-1 1.5 Other Appro aches to System Interconnectivity ........................................................ 1-2 1.6 Document Structure ................................................................................................. 1-2 2. BACKGROUND ................................................................................................................. 2-1 3. PLANNI NG A SYSTE M INTERCONNECTI ON................................................................. 3-1 3.1 Step 1: Establish a Joint Planning Te am................................................................. 3-1 3.2 Step 2: Define the Busin ess Case ........................................................................... 3-1 3.3 Step 3: Perform Certification and Accreditation ....................................................... 3-2 3.4 Step 4: Determine Interconnection R equirements ................................................... 3-2 3.5 Step 5: Document Interconnection A greement ........................................................ 3-5 3.6 Step 6: Approve or Reject System In terconnectio n................................................. 3-6 4. ESTABLI SHING A SY