By Ernest Smith, CISSP, PMP
Requirement (simplified):
Do you have contracts and or service level agreements with the owners of any system outside of your authorization boundary that are processing, storing, and transmitting your information?
Breakdown:
What is an “external information system”?
- Employee personally owned devices (I said it!)
- Systems controlled by nongovernmental organizations
- Government organization system who has an ATO signed by an AO other than yours
- Cloud service offerings
Questions:
- Is any of your information being processed, stored and transmitted by any of the above? How do authorized users access your information from this external information system?
- If yes, do you have a contract in place that outlines how your system’s information will be protected from unauthorized disclosure, etc.? How detailed is that contract?
- If yes, do these systems have an ATO? Do you have a copy of that ATO?
- Are you using Office 365, Google Business, or other cloud service offering? Do you have a document where the DoD has issued that service a provisional authorization (ATO), or at least FedRamp ATO’d?
Issues:
How close are you watching your employees? What are the possibilities they have your information on their privately-owned devices? How would you know? Remember to follow your data everywhere it goes once it leaves your authorization boundary!