AC-20(1)

  • Requirement

    Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:

    1. Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or
    2. Retention of approved system connection or processing agreements with the organizational entity hosting the external system.
  • Discussion

    Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations.

More Info

  • Title

    Use of External Systems | Limits on Authorized Use
  • Family

    Access Control
  • NIST 800-53B Baseline(s)

    • Moderate
    • High
  • Related NIST 800-53 ID

    CA-2

NIST 800-53A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!