FedRAMP Limits on Authorized Use AC-20 (1)

Overview:
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
(a) Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or
(b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

Supplemental Guidance:
This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations.

Related Controls:>/b> CA-2

Action Items:
1) Ensure that network and information security requirements are addressed when working with other organizations and external systems
2) Verify required security controls are in place on the external system to be accessed

Related Documents:
1) Access Control Policy
2) Network Security Policy
3) Third Party Risk Management Policy

Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
none

Moderate Additional FedRAMP Requirements and Guidance
none