800-53|AC-20

Title

USE OF EXTERNAL INFORMATION SYSTEMS

Description

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

Supplemental

External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems. For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

Reference Item Details

Related: AC-17,AC-19,AC-3,CA-3,PL-4,SA-9

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
2.1.1.5 Audit Freeform Sync to iCloudUnixCIS Apple macOS 15.0 Sequoia v1.0.0 L2
2.1.1.5 Audit Freeform Sync to iCloudUnixCIS Apple macOS 14.0 Sonoma v2.0.0 L2
2.1.1.5 Audit Freeform Sync to iCloudUnixCIS Apple macOS 13.0 Ventura v3.0.0 L2
2.6.1 iCloud configurationUnixCIS Apple macOS 10.13 L2 v1.1.0
2.6.1.1 Audit iCloud ConfigurationUnixCIS Apple macOS 10.14 v2.0.0 L2
2.6.2 iCloud keychainUnixCIS Apple macOS 10.13 L2 v1.1.0
2.6.3 iCloud DriveUnixCIS Apple macOS 10.13 L2 v1.1.0
2.7.1 iCloud configurationUnixCIS Apple macOS 10.12 L2 v1.2.0
2.7.2 iCloud keychainUnixCIS Apple macOS 10.12 L2 v1.2.0
2.7.3 iCloud DriveUnixCIS Apple macOS 10.12 L2 v1.2.0
2.15 Audit Internet Accounts for Authorized UseUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
2.16 Audit Internet Accounts for Authorized UseUnixCIS Apple macOS 12.0 Monterey v3.1.0 L1
2.17.1 Audit Internet Accounts for Authorized UseUnixCIS Apple macOS 13.0 Ventura v3.0.0 L1
3.2.1.6 Review 'Allow iCloud Keychain' settingsMDMMobileIron - CIS Apple iPadOS 18 v1.0.0 L1 Institutionally Owned
3.2.1.6 Review 'Allow iCloud Keychain' settingsMDMAirWatch - CIS Apple iOS 18 v1.0.0 L1 Institution Owned
3.2.1.6 Review 'Allow iCloud Keychain' settingsMDMMobileIron - CIS Apple iOS 18 v1.0.0 L1 Institution Owned
3.2.1.6 Review 'Allow iCloud Keychain' settingsMDMAirWatch - CIS Apple iPadOS 18 v1.0.0 L1 Institutionally Owned
AIOS-02-080002 - Apple iOS must not allow backup to remote systems (iCloud).MDMAirWatch - DISA Apple iOS 10 v1r3
AIOS-02-080002 - Apple iOS must not allow backup to remote systems (iCloud).MDMMobileIron - DISA Apple iOS 10 v1r3
AIOS-02-080003 - Apple iOS must not allow backup to remote systems (iCloud document and data synchronization).MDMMobileIron - DISA Apple iOS 10 v1r3
AIOS-02-080003 - Apple iOS must not allow backup to remote systems (iCloud document and data synchronization).MDMAirWatch - DISA Apple iOS 10 v1r3
AIOS-02-080004 - Apple iOS must not allow backup to remote systems (iCloud Keychain).MDMAirWatch - DISA Apple iOS 10 v1r3
AIOS-02-080004 - Apple iOS must not allow backup to remote systems (iCloud Keychain).MDMMobileIron - DISA Apple iOS 10 v1r3
AIOS-02-080005 - Apple iOS must not allow backup to remote systems (My Photo Stream).MDMAirWatch - DISA Apple iOS 10 v1r3
AIOS-02-080005 - Apple iOS must not allow backup to remote systems (My Photo Stream).MDMMobileIron - DISA Apple iOS 10 v1r3
AIOS-02-080006 - Apple iOS must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Photo Streams).MDMAirWatch - DISA Apple iOS 10 v1r3
AIOS-02-080006 - Apple iOS must not allow backup to remote systems (iCloud Photo Sharing, also known as Shared Photo Streams).MDMMobileIron - DISA Apple iOS 10 v1r3
AIOS-02-080102 - Apple iOS must implement the management setting: not allow use of Handoff.MDMAirWatch - DISA Apple iOS 10 v1r3
AIOS-02-080102 - Apple iOS must implement the management setting: not allow use of Handoff.MDMMobileIron - DISA Apple iOS 10 v1r3
AIOS-02-080104 - Apple iOS must implement the management setting: require password when connecting to AirPlay device for the first time.MDMMobileIron - DISA Apple iOS 10 v1r3
AIOS-02-080104 - Apple iOS must implement the management setting: require password when connecting to AirPlay device for the first time.MDMAirWatch - DISA Apple iOS 10 v1r3
AIOS-11-080201 - Apple iOS must not allow backup to locally connected systems.MDMMobileIron - DISA Apple iOS 10 v1r3
AIOS-11-080201 - Apple iOS must not allow backup to locally connected systems.MDMAirWatch - DISA Apple iOS 10 v1r3
AIOS-12-012300 - A managed photo app must be used to take and store work related photos.MDMMobileIron - DISA Apple iOS 12 v2r1
AIOS-12-012300 - A managed photo app must be used to take and store work related photos.MDMAirWatch - DISA Apple iOS 12 v2r1
AIOS-13-012300 - A managed photo app must be used to take and store work-related photos.MDMAirWatch - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-012300 - A managed photo app must be used to take and store work-related photos.MDMMobileIron - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-012500 - Apple iOS/iPadOS must implement the management setting: enable USB Restricted Mode.MDMAirWatch - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-013000 - Apple iOS/iPadOS must implement the management setting: disable AirDrop.MDMAirWatch - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-013000 - Apple iOS/iPadOS must implement the management setting: disable AirDrop.MDMMobileIron - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-013100 - Apple iOS/iPadOS must implement the management setting: disable paired Apple Watch.MDMMobileIron - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-013100 - Apple iOS/iPadOS must implement the management setting: disable paired Apple Watch.MDMAirWatch - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-013200 - Apple iOS/iPadOS must disable password autofill in browsers and applications.MDMAirWatch - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-013200 - Apple iOS/iPadOS must disable password autofill in browsers and applications.MDMMobileIron - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-013300 - Apple iOS/iPadOS must disable allow setting up new nearby devices.MDMAirWatch - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-013300 - Apple iOS/iPadOS must disable allow setting up new nearby devices.MDMMobileIron - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-013400 - Apple iOS/iPadOS must disable password proximity requests.MDMAirWatch - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-013400 - Apple iOS/iPadOS must disable password proximity requests.MDMMobileIron - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-013500 - Apple iOS/iPadOS must disable password sharing.MDMAirWatch - DISA Apple iOS/iPadOS 13 v2r1
AIOS-13-013500 - Apple iOS/iPadOS must disable password sharing.MDMMobileIron - DISA Apple iOS/iPadOS 13 v2r1