Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.
NIST 800-53 (r4) Supplemental Guidance:
Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used.
NIST 800-53 (r5) Discussion:
Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used.
38North Guidance:
Meets Minimum Requirement:
Terms and conditions along with trust relationships need to be established if the FedRAMP production environment can be accessed from another external system that is not controlled by the organization.
Documented policies & procedures that define what is allowed specifically for portable storage devices such as USB thumb drives ore writeable CD drives by personal from external systems.
Best Practice:
Only allow permitted personnel with documented approval to use portable storage devices to access other external systems. Documentation in place such as SLA, MOU, ISA etc.
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Examples of SLA, MOU, ISA with external parties that can access the FedRAMP system their organization.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse