Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
(a) Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or
(b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations. Related control: CA-2.
NIST 800-53 (r5) Discussion:
Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations.
38North Guidance:
Meets Minimum Requirement:
Terms and conditions along with trust relationships need to be established if the FedRAMP production environment can be accessed from another external system that is not controlled by the organization.
Verifies the implementation of required security controls for external systems/connections used to access or to process, store, or transmit CSP-controlled information.
Best Practice:
Only permitted personnel has the ability to access other external systems if documented with the proper authorizations in place such as SLA, MOU, ISA etc.
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Examples of SLA, MOU, ISA with external parties that can access the FedRAMP system their organization.
Diagrams and system configurations showing that access to the environment is limited to authorized administrators (backend) and end users (frontend).
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse