Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family CA

CA-3Information Exchange

Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }}; Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and Review and update the agreements {{ insert: param, ca-03_odp.03 }}.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 3 mapping(s) from 1 framework(s): CSF 2.0 3 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (7)

Weaknesses this control addresses (7)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-284Improper Access Control5,367Requiring formal approval, documented controls, and responsibilities for inter-system exchanges directly enforces proper access control between systems.
CWE-287Improper Authentication4,908Mandating documentation of security requirements for exchanges includes specifying and enforcing authentication mechanisms between systems.
CWE-285Improper Authorization1,356Documenting authorization requirements and responsibilities for each exchange ensures authorization decisions are explicitly defined and managed.
CWE-319Cleartext Transmission of Sensitive Information1,076By requiring documented security controls for information exchanges, the control reduces the risk of cleartext transmission of sensitive data.
CWE-311Missing Encryption of Sensitive Data554Exchange agreements must document security requirements, which would include encryption to protect sensitive data in transit.
CWE-923Improper Restriction of Communication Channel to Intended Endpoints61Approving specific exchanges and documenting interface characteristics restricts communication channels to only intended endpoints and systems.
CWE-501Trust Boundary Violation30Defining interfaces, controls, and trust responsibilities in agreements helps prevent violations of trust boundaries during data exchanges.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family CA

CA-1 CA-2 CA-4 CA-5 CA-6 CA-7 CA-8 CA-9