💼 AC-20 Use of External Systems (L)(M)(H)

• Contextual name: 💼 AC-20 Use of External Systems (L)(M)(H)
• ID: /frameworks/fedramp-high-security-controls/ac/20
• Located in: 💼 Access Control

Description

a. [Selection (one-or-more): Establish [Assignment: organization-defined terms and conditions]; Identify [Assignment: organization-defined controls asserted to be implemented on external systems]], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:

1. Access the system from external systems; and
2. Process, store, or transmit organization-controlled information using external systems; or

b. Prohibit the use of [Assignment: organizationally-defined types of external systems].

AC-20 Additional FedRAMP Requirements and Guidance:

Guidance: The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:

• AC-20 describes system access to and from external systems.

• CA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.

• SA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3.

Similar

• Sections
  • /frameworks/nist-sp-800-53-r5/ac/20
• Internal
  • ID: dec-c-82436250

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 NIST SP 800-53 Revision 5 → 💼 AC-20 Use of External Systems	5

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 FedRAMP Low Security Controls → 💼 AC-20 Use of External Systems (L)(M)(H)
💼 FedRAMP Moderate Security Controls → 💼 AC-20 Use of External Systems (L)(M)(H)	2

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 AC-20(1) Limits on Authorized Use (M)(H)
💼 AC-20(2) Portable Storage Devices — Restricted Use (M)(H)