Control: The organisation establishes terms and conditions, consistent with any trust relationships established with other organisations owning, operating, and/or maintaining external information systems, allowing authorised individuals to:
B. Process, store, or transmit organisation-controlled information using external information systems.
Supplemental Guidance:
External information systems are information systems or components of information systems that are outside of the authorisation boundary established by organisations and for which organisations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example:
(i) personally owned information systems/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants);
(ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports);
(iii) information systems owned or controlled by nonfederal governmental organisations; and
(iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organisations. This control also addresses the use of external information systems for the processing, storage, or transmission of organisational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organisational information systems.
For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.
This control does not apply to the use of external information systems to access public interfaces to organisational information systems (e.g., individuals accessing federal information through www.usa.gov). Organisations establish terms and conditions for the use of external information systems in accordance with organisational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organisational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organisations may impose restrictions on organisational personnel using those external systems.
Use of External Information Systems Control Enhancements:
AC-20 (1) Use of External Information Systems - Limits on authorised use
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
(a) Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or
(b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.
Supplemental Guidance:
This control enhancement recognises that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organisational information systems. In those situations, organisations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organisational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organisations.
Related control: CA-2.
AC-20 (2) Use of External Information Systems - Portable storage devices
The organisation [Selection: restricts; prohibits] the use of organisation-controlled portable
storage devices by authorised individuals on external information systems.
Supplemental Guidance:
Limits on the use of organisation-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used.
AC-20 (3) Use of External Information Systems - Non organisationally owned systems / components / devices
The organisation [Selection: restricts; prohibits] the use of non-organisationally owned information
systems, system components, or devices to process, store, or transmit organisational information.
Supplemental Guidance:
Non-organisationally owned devices include devices owned by other organisations (e.g., federal/state agencies, contractors) and personally owned devices. There are risks to using non-organisationally owned devices. In some cases, the risk is sufficiently high as to prohibit such use. In other cases, it may be such that the use of non-organisationally owned devices is allowed but restricted in some way. Restrictions include, for example:
(i) requiring the implementation of organisation-approved security controls prior to authorising such connections;
(ii) limiting access to certain types of information, services, or applications;
(iii) using virtualisation techniques to limit processing and storage activities to servers or other system components provisioned by the organisation; and
(iv) agreeing to terms and conditions for usage. For personally owned devices, organisations consult with the Office of the General Counsel regarding legal issues associated with using such devices in operational environments, including, for example, requirements for conducting forensic analyses during investigations after an incident.
AC-20 (4) Use of External Information Systems - Network accessible storage devices
The organisation prohibits the use of [Assignment: organisation-defined network accessible
storage devices] in external information systems.
Supplemental Guidance:
Network accessible storage devices in external information systems include, for example, online storage devices in public, hybrid, or community cloud-based systems.