800-53|AC-20

Title

USE OF EXTERNAL INFORMATION SYSTEMS

Description

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

Supplemental

External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems. For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

Reference Item Details

Related: AC-17,AC-19,AC-3,CA-3,PL-4,SA-9

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.3 Set 'Access to published calendars' to 'Enabled'WindowsCIS MS Office Outlook 2010 v1.0.0
1.9.8.1.2.1 Ensure 'Access to published calendars' is set to EnabledWindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.9.8.1.2.1 Ensure 'Access to published calendars' is set to EnabledWindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.9.8.1.2.3 Ensure 'Prevent publishing to Office.com' is set to EnabledWindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.9.8.1.2.3 Ensure 'Prevent publishing to Office.com' is set to EnabledWindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.9.8.1.2.5 Ensure 'Restrict upload method' is set to EnabledWindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.9.8.1.2.5 Ensure 'Restrict upload method' is set to EnabledWindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.22 Set 'Prevent publishing to Office.com' to 'Enabled'WindowsCIS MS Office Outlook 2010 v1.0.0
1.28 Set 'Restrict upload method' to 'Enabled'WindowsCIS MS Office Outlook 2010 v1.0.0
2.1.1.1 Audit iCloud KeychainUnixCIS Apple macOS 14.0 Sonoma v1.1.0 L2
2.1.1.1 Audit iCloud KeychainUnixCIS Apple macOS 13.0 Ventura v2.1.0 L2
2.1.1.2 Audit iCloud DriveUnixCIS Apple macOS 13.0 Ventura v2.1.0 L2
2.1.1.2 Audit iCloud DriveUnixCIS Apple macOS 14.0 Sonoma v1.1.0 L2
2.1.1.3 Ensure iCloud Drive Document and Desktop Sync Is DisabledUnixCIS Apple macOS 13.0 Ventura v2.1.0 L2
2.1.1.3 Ensure iCloud Drive Document and Desktop Sync Is DisabledUnixCIS Apple macOS 14.0 Sonoma v1.1.0 L2
2.1.1.5 Audit Freeform Sync to iCloudUnixCIS Apple macOS 13.0 Ventura v2.1.0 L2
2.1.1.5 Audit Freeform Sync to iCloudUnixCIS Apple macOS 14.0 Sonoma v1.1.0 L2
2.1.1.6 Audit Find My MacUnixCIS Apple macOS 13.0 Ventura v2.1.0 L2
2.1.1.6 Audit Find My MacUnixCIS Apple macOS 14.0 Sonoma v1.1.0 L2
2.2.1.3 Ensure 'Allow managed apps to store data in iCloud' is set to 'Disabled'MDMMobileIron - CIS Apple iOS 13 and iPadOS 13 v1.0.0 End User Owned L1
2.2.1.3 Ensure 'Allow managed apps to store data in iCloud' is set to 'Disabled'MDMMobileIron - CIS Apple iOS 14 and iPadOS 14 v1.0.0 End User Owned L1
2.2.1.3 Ensure 'Allow managed apps to store data in iCloud' is set to 'Disabled'MDMAirWatch - CIS Apple iOS 13 and iPadOS 13 v1.0.0 End User Owned L1
2.15 Audit Internet Accounts for Authorized UseUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
2.16 Audit Internet Accounts for Authorized UseUnixCIS Apple macOS 12.0 Monterey v3.1.0 L1
2.17.1 Audit Internet Accounts for Authorized UseUnixCIS Apple macOS 14.0 Sonoma v1.1.0 L1
2.17.1 Audit Internet Accounts for Authorized UseUnixCIS Apple macOS 13.0 Ventura v2.1.0 L1
18.9.52.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.52.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
18.9.52.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.52.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.9.52.2 (L1) Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.52.2 Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.9.52.2 Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
18.9.52.2 Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.58.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1
18.9.58.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1
18.9.58.2 (L1) Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1
18.9.58.2 (L1) Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1
18.10.51.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'WindowsCIS Windows Server 2012 R2 MS L1 v3.0.0
18.10.51.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 L1 MS
18.10.51.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'WindowsCIS Windows Server 2012 R2 DC L1 v3.0.0
18.10.51.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'WindowsCIS Windows Server 2012 DC L1 v3.0.0
18.10.51.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'WindowsCIS Windows Server 2012 MS L1 v3.0.0
18.10.51.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 L1 DC
18.10.51.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 L1 DC
18.10.51.1 Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 L1 MS
18.10.51.2 (L1) Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'WindowsCIS Windows Server 2012 DC L1 v3.0.0
18.10.51.2 (L1) Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'WindowsCIS Windows Server 2012 R2 DC L1 v3.0.0
18.10.51.2 (L1) Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'WindowsCIS Windows Server 2012 R2 MS L1 v3.0.0
18.10.51.2 (L1) Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'WindowsCIS Windows Server 2012 MS L1 v3.0.0