AC.L1-3.1.20 — Use of External Systems

Assessment Objectives

• the following security requirements to be satisfied on external systems prior to allowing the use of or access to those systems by authorized individuals are established: all systems that store, process, or transmit CUI and all remote access connections used to access CUICMMC/STIG.
• the use of external systems is prohibited unless the systems are specifically authorized.
• authorized individuals are permitted to use external systems to access the organizational system or to process, store, or transmit CUI only after verifying that the security requirements on the external systems as specified in the organization’s system security plans have been satisfied.
• the use of organization-controlled portable storage devices by authorized individuals on external systems is restricted.
• authorized individuals are permitted to use external systems to access the organizational system or to process, store, or transmit CUI only after retaining approved system connection or processing agreements with the organizational entity hosting the external systems.