NIST 800-171
3.1 ACCESS CONTROL
3.1.20
Verify and control/limit connections to and use of external systems
External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems components or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing storage or transmission of CUI including accessing cloud services (e.g. infrastructure as a service platform as a service or software as a service) from organizational systems.Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established organizations may impose restrictions on organizational personnel using those external systems.This requirement recognizes that there are circumstances where individuals using external systems (e.g. contractors coalition partners) need to access organizational systems. In those situations organizations need confidence that the external systems contain the necessary controls so as not to compromise damage or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party independent assessments attestations or other means depending on the assurance or confidence level required by organizations.Note that while “external” typically refers to outside of the organization’s direct supervision and authority that is not always the case. Regarding the protection of CUI across an organization the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore from the perspective of a given system other systems within the organization may be considered “external” to that system
Click here to Start your FREE trial today!
What is a Cybersecurity Compliance Framework?
You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.
With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.
The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:
- CMMC v2
- HIPAA
- NERC CIP-002 through CIP-014 Revision 6
- NIST 800-171
- NIST 800-172
- PCI (Payment Card Industry Security Standard)
- SOC 2
- NIST 800-53
- NIST SP800-161 Supply Chain Risk Management
- NIST-CSF
- CIS Framework Controls V8
Click here to Start your FREE trial today!