CCI-003753

Defines the controls asserted to be implemented on external systems allowing individuals to process, store, or transmit organization-controlled information using external systems.

Implementation Guidance

Determine if [AC-20_ODP[01]; one or more of the following PARAMETER VALUES is/are selected: {establish [AC-20_ODP[02]; terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected)]; identify [AC-20_ODP[03]; controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected)]}]]] is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable).

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing the use of external systems; external systems terms and conditions; list of types of applications accessible from external systems; maximum security categorization for information processed, stored, or transmitted on external systems; system configuration settings and associated documentation; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems; system/network administrators; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Mechanisms implementing terms and conditions on the use of external systems].

The controls below (if any) were marked by NIST as being related to CCI-003753.