03.01.20: Use of External Systems
Control Familly: Access Control
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
N/A
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.01.20
CMMC Level(s): N/A
AC-20
AC-20(01)
AC-20(02)
a. Prohibit the use of external systems unless the systems are specifically authorized.
b. Establish the following security requirements to be satisfied on external systems prior to allowing use of or access to those systems by authorized individuals: [Assignment: organization-defined security requirements].
c. Permit authorized individuals to use external systems to access the organizational system or to process, store, or transmit CUI only after:
1. Verifying that the security requirements on the external systems as specified in the organization’s system security plans have been satisfied and
2. Retaining approved system connection or processing agreements with the organizational entities hosting the external systems.
d. Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems.
Discussion:
External systems are systems that are used by but are not part of the organization. These systems include personally owned systems, system components, or devices; privately owned computing and communication devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; and systems managed by contractors. Organizations have the option to prohibit the use of any type of external system or specified types of external systems (e.g., prohibit the use of external systems that are not organizationally owned). Terms and conditions are consistent with the trust relationships established with the entities that own, operate, or maintain external systems and include descriptions of shared responsibilities.
Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to the organizational system and over whom organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals may vary depending on the trust relationships between organizations. Organizations need assurance that external systems satisfy the necessary security requirements so as not to compromise, damage, or harm the system. This requirement is related to 03.16.03.
Assessment Methods and Objectives
Examine [SELECT FROM: access control policy and procedures; procedures for the use of external systems; terms and conditions for the use of external systems; external systems security requirements; list of types of applications accessible from external systems; system configuration settings; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with responsibilities for defining terms, conditions, and security requirements for the use of external systems; personnel with information security responsibilities; system administrators]
Test [SELECT FROM: mechanisms for implementing or enforcing terms, conditions, and security requirements for the use of external systems]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.01.20.ODP[01]: security requirements to be satisfied on external systems prior to allowing the use of or access to those systems by authorized individuals are defined.
A.03.01.20.a: the use of external systems is prohibited unless the systems are specifically authorized.
A.03.01.20.b: the following security requirements to be satisfied on external systems prior to allowing the use of or access to those systems by authorized individuals are established: <A.03.01.20.ODP[01]: security requirements>.
A.03.01.20.c.01: authorized individuals are permitted to use external systems to access the organizational system or to process, store, or transmit CUI only after verifying that the security requirements on the external systems as specified in the organization’s system security plans have been satisfied.
A.03.01.20.c.02: authorized individuals are permitted to use external systems to access the organizational system or to process, store, or transmit CUI only after retaining approved system connection or processing agreements with the organizational entity hosting the external systems.
A.03.01.20.d: the use of organization-controlled portable storage devices by authorized individuals on external systems is restricted.