Skip to main content

Security Control Spotlight: AC-20 (Use of External Information Systems)

By Ernest Smith, CISSP, PMP

Requirement (simplified):
Do you have contracts and or service level agreements with the owners of any system outside of your authorization boundary that are processing, storing, and transmitting your information?
What is an “external information system”?

  • Employee personally owned devices (I said it!)
  • Systems controlled by nongovernmental organizations
  • Government organization system who has an ATO signed by an AO other than yours
  • Cloud service offerings


  • Is any of your information being processed, stored and transmitted by any of the above? How do authorized users access your information from this external information system?
  • If yes, do you have a contract in place that outlines how your system’s information will be protected from unauthorized disclosure, etc.? How detailed is that contract?
  • If yes, do these systems have an ATO? Do you have a copy of that ATO?
  • Are you using Office 365, Google Business, or other cloud service offering? Do you have a document where the DoD has issued that service a provisional authorization (ATO), or at least FedRamp ATO’d?

How close are you watching your employees? What are the possibilities they have your information on their privately-owned devices? How would you know? Remember to follow your data everywhere it goes once it leaves your authorization boundary!

Post Categories: Risk Management Framework Tags:  CONTROLS NIST SP 800-53 RMF