AC-20.1: Limits on Authorized Use

authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);

authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).

Access control policy

procedures addressing the use of external systems

system connection or processing agreements

account management documents

system security plan

other relevant documents or records

System/network administrators

organizational personnel with information security responsibilities

Mechanisms implementing limits on use of external systems