home || catalog: SP800-53rev3 / class: Technical / family: (AC) Access Control ||
search controls:
search nistpubs:

AC

AC-01
AC-02
AC-03
AC-04
AC-05
AC-06
AC-07
AC-08
AC-09
AC-10
AC-11
AC-12
AC-13
AC-14
AC-15
AC-16
AC-17
AC-18
AC-19
AC-20 *
AC-21
AC-22

AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  AC-20: Use of External Information Systems  

base control objective:
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
a. Access the information system from the external information systems; and
b. Process, store, and/or transmit organization-controlled information using the external information systems.

supplemental objective information:
External information systems are information systems or components of information systems that are outside of the authorization boundary established by the organization and for which the organization typically has no direct supervision and authority over the application of required security controls or the assessment of security control effectiveness. External information systems include, but are not limited to:
(i) personally owned information systems (e.g., computers, cellular telephones, or personal digital assistants);
(ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, convention centers, or airports);
(iii) information systems owned or controlled by nonfederal governmental organizations; and
(iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of the organization.
For some external systems, in particular those systems operated by other federal agencies, including organizations subordinate to those agencies, the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. In effect, the information systems of these organizations would not be considered external. These situations typically occur when, for example, there is some pre-existing sharing or trust agreement (either implicit or explicit) established between federal agencies and/or organizations subordinate to those agencies, or such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include organizational personnel, contractors, or any other individuals with authorized access to the organizational information system. The restrictions that an organization imposes on authorized individuals need not be uniform, as those restrictions are likely to vary depending upon the trust relationships between organizations. Thus, an organization might impose more stringent security restrictions on a contractor than on a state, local, or tribal government.
This control does not apply to the use of external information systems to access public interfaces to organizational information systems and information (e.g., individuals accessing federal information through www.usa.gov). The organization establishes terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. The terms and conditions address as a minimum; (i) the types of applications that can be accessed on the organizational information system from the external information system; and (ii) the maximum security categorization of information that can be processed, stored, and transmitted on the external information system. This control defines access authorizations enforced by AC-3, rules of behavior requirements enforced by PL-4, and session establishment rules enforced by AC-17.

enhancements to the base objective:

(1) The organization prohibits authorized individuals from using an external information system to access the information system or to process, store, or transmit organization-controlled information except in situations where the organization:
(a) Can verify the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or
(b) Has approved information system connection or processing agreements with the organizational entity hosting the external information system.

(2) The organization imposes restrictions on authorized individuals with regard to the use of organization-controlled removable media on external information systems.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1) (2)     HIGH: base (1) (2)  

related (regimented) controls:

AC-03   Access Enforcement
AC-17   Remote Access
PL-04   Rules of Behavior

documents referenced in SP800-53rev3 for AC-20:

Document Date Status Title
FIPS 199 February, 2004 current   Standards for Security Categorization of Federal Information and Information Systems
NIST SP800-113 July, 2008 current   Guide to SSL VPNs
NIST SP800-46 June, 2009 current   Guide to Enterprise Telework and Remote Access Security
NIST SP800-77 December, 2005 current   Guide to IPsec VPNs

Search SP800-53rev3 catalog: