NIST 800-171 - Use of External Information Systems (3.1.20)
Overview:
Verify and control/limit connections to and use of external information systems.
Action Items:
3.1.20[a]
Determine if: connections to external systems are identified.
3.1.20[b]
Determine if: the use of external systems is identified.
3.1.20[c]
Determine if: connections to external systems are verified.
3.1.20[d]
Determine if: the use of external systems is verified.
3.1.20[e]
Determine if: connections to external systems are controlled/limited.
3.1.20[f]
Determine if: the use of external systems is controlled/limited.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Access control policy; procedures addressing the use of external systems; terms and conditions for external systems; system security plan; list of applications accessible from external systems; system configuration settings and associated documentation; system connection or processing agreements; account management documents; other relevant documents or records].
2
Interview: Personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems; system or network administrators; personnel with information security responsibilities].
3
Test: Mechanisms implementing terms and conditions on use of external systems].
Related Documents (document name and content will vary by organization):
1) Access control policy
2) procedures addressing the use of external systems
3) terms and conditions for external systems
4) system security plan
5) list of applications accessible from external systems
6) system configuration settings and associated documentation
7) system connection or processing agreements
8) account management documents
9) other relevant documents or records
Additional Guidance:
External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented safeguards on those systems. External systems include, for example, personally owned systems or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems.
Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.
This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary safeguards so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required safeguards have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations.
Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system.