CCI-002338

Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using organization-defined restrictions.

Implementation Guidance

The organization being inspected/assessed documents and implements a process to restrict or prohibit the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed restricts or prohibits the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.

Compelling Evidence

1.) Signed and dated system security plan (SSP) 2.) Signed and dated MOU/MOA with any external information systems that describes the process that restricts or prohibits the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.

The controls below (if any) were marked by NIST as being related to CCI-002338.