Level 1
Description:
External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems. Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations. Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system.
Priority: High
Domain: ACCESS CONTROL (AC)
Services Associated with AWS:
- AWS Identity and Access Management (IAM), AWS Organizations, AWS Security Hub
- AWS Security Hub, AWS Audit Manager, AWS Artifact
Services Associated with Azure:
- Azure Virtual Network (VNet)
- Azure Firewall
- Azure Active Directory (Azure AD)
- Azure Policy
- Azure Security Center
- Azure Sentinel
- Azure Monitor
- Azure ExpressRoute
- Azure Private Link
- Azure Data Gateway
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Administrative: supporting documentation to demonstrate change management practices reviewed/approved the request(s)
- Administrative: documented Data Flow Diagram (DFD)
- Technical: screen shot of firewall rules with business justification
Possible Technology Considerations:
- Access Control List (ACL)
What needs to be answered:
Are restrictions placed on the use of personally owned or external system access devices? Are the number of access points to the system limited to allow for better monitoring of network traffic?
Checks for AWS
- Verify Terms and Conditions for Use of External Systems
Description This check ensures that terms and conditions are established for the use of external systems in accordance with organizational security policies and procedures. The terms and conditions address the types of applications that can be accessed on organizational systems from external systems. - Establish Controls for Personnel Using External Systems
Description This check confirms that if terms and conditions with the owners of external systems cannot be established, organizations impose restrictions on organizational personnel using those external systems. This ensures that individuals accessing organizational systems from external systems adhere to necessary controls to prevent compromise or harm to organizational systems. - Verify Controls on External Systems
Description This check ensures that external systems used to access organizational systems (e.g., contractors, coalition partners) have the necessary controls implemented to protect organizational systems. Verification can be achieved through third-party assessments, independent attestations, or other means to establish the effectiveness of implemented controls.
Checks for Azure
- Enforce Terms and Conditions for Use of External Systems
Description: This policy check ensures that organizations establish and enforce terms and conditions for the use of external systems in accordance with organizational security policies and procedures. The terms and conditions should address the permitted types of applications that can be accessed on organizational systems from external systems. - Implement Access Controls for Personally Owned or External System Access Devices
Description: This policy check verifies that restrictions are in place for the use of personally owned or external system access devices. It ensures that appropriate access controls are implemented to manage and secure the connection between these devices and organizational systems. - Limit the Number of Access Points to Enable Better Network Traffic Monitoring
Description: This policy check confirms that the number of access points to organizational systems is limited to facilitate better monitoring of network traffic. By reducing the number of access points, organizations can enhance their ability to monitor and detect any suspicious or unauthorized activities. - Establish Controls and Security Measures for External Systems
Description: This policy check ensures that external systems, such as those used by contractors or coalition partners, have the necessary controls and security measures implemented. It verifies that external systems accessing organizational systems meet the required security standards and do not compromise or harm organizational systems. - Enforce Access Controls and Security Policies for Cloud Services
Description: This policy check validates that access controls and security policies are enforced for the use of cloud services (e.g., infrastructure as a service, platform as a service, software as a service) from organizational systems. It ensures that appropriate security measures are in place when utilizing cloud services to process, store, or transmit CUI. - Regularly Assess and Verify Controls on External Systems
Description: This policy check requires organizations to regularly assess and verify the effectiveness of controls implemented on external systems. It emphasizes the need for third-party assessments, independent attestations, or other means to ensure that external systems meet the necessary security requirements to protect organizational systems.
More Details:
Access to CUI containing systems controlled via cloud based system that does not establish two way connection with devices used to access it.