1. Home
  2. FedRAMP
  3. AC-20

BRACKETOLOGY | FEDRAMP

AC-20: USE OF EXTERNAL INFORMATION SYSTEMS

  • FedRAMP Baseline Membership AC-20:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

    • a. Access the information system from external information systems; and
    • b. Process, store, or transmit organization-controlled information using external information systems.

SUPPLEMENTAL GUIDANCE

A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements artilated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.

CONTROL ENHANCEMENTS

AC-20 (1) USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS ON AUTHORIZED USE
  • FedRAMP Baseline Membership AC-20 (1):
  • MODERATE
  • HIGH

The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:

    • (a) Verifies the implementation of required security controls on the external system as specified in the organization�s information security policy and security plan; or
    • (b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

Supplemental Guidance:

This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations.

RELATED CONTROLS: AC-20 (1)

AC-20 (2) USE OF EXTERNAL INFORMATION SYSTEMS | PORTABLE STORAGE DEVICES
  • FedRAMP Baseline Membership AC-20 (2):
  • MODERATE
  • HIGH

The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a Low Impact system.

There are no FedRAMP-specific requirements if this control is used for a Moderate Impact system.

There are no FedRAMP-specific requirements if this control is used for a High Impact system.


Supplemental Guidance:

Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used.

AC-20 (3) USE OF EXTERNAL INFORMATION SYSTEMS | NON-ORGANIZATIONALLY OWNED SYSTEMS / COMPONENTS / DEVICES

The organization [Selection: restricts; prohibits] the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.

Supplemental Guidance:

Non-organizationally owned devices include devices owned by other organizations (e.g., federal/state agencies, contractors) and personally owned devices. There are risks to using non-organizationally owned devices. In some cases, the risk is sufficiently high as to prohibit such use. In other cases, it may be such that the use of non-organizationally owned devices is allowed but restricted in some way. Restrictions include, for example: (i) requiring the implementation of organization-approved security controls prior to authorizing such connections; (ii) limiting access to certain types of information, services, or applications; (iii) using virtualization techniques to limit processing and storage activities to servers or other system components provisioned by the organization; and (iv) agreeing to terms and conditions for usage. For personally owned devices, organizations consult with the Office of the General Counsel regarding legal issues associated with using such devices in operational environments, including, for example, requirements for conducting forensic analyses during investigations after an incident.

AC-20 (4) USE OF EXTERNAL INFORMATION SYSTEMS | NETWORK ACCESSIBLE STORAGE DEVICES

The organization prohibits the use of [Assignment: organization-defined network accessible storage devices] in external information systems.

Supplemental Guidance:

Network accessible storage devices in external information systems include, for example, online storage devices in public, hybrid, or community cloud-based systems.

REFERENCES:

  • FIPS Publication 199