CCI-003754

Implementation Guidance

Determine if the use of [AC-20_ODP[04]; types of external systems prohibited from use are defined] is prohibited (if applicable).

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing the use of external systems; external systems terms and conditions; list of types of applications accessible from external systems; maximum security categorization for information processed, stored, or transmitted on external systems; system configuration settings and associated documentation; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems; system/network administrators; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Mechanisms implementing terms and conditions on the use of external systems].