RMF Control AC-20: Use of External Systems is a cybersecurity control that helps to protect information systems by limiting the use of external systems to access or process organization-controlled information. This control is important because it can help to prevent unauthorized access to information systems and data.
Use of External Systems Requirements
The RMF Control AC-20: Use of External Systems requirements are specified in NIST Special Publication 800-53, Revision 5. The requirements state that the organization must:
- Identify and limit the actions that can be performed without identification or authentication;
- Document the permitted actions without identification or authentication; and
- Monitor and audit the actions that are performed without identification or authentication.
Use of External Systems Best Practices
In addition to the RMF Control AC-20: Use of External Systems requirements, there are a number of best practices that organizations can follow to improve their use of external systems posture. These best practices include:
- Only allowing authorized users to use external systems to access or process organization-controlled information;
- Implementing a risk-based approach to the use of external systems. For example, you may want to restrict the use of external systems to access or process certain types of data;
- Monitoring and auditing the use of external systems to identify and respond to suspicious activity;
- Educating users on the importance of security when using external systems and how to protect organization-controlled information.
Benefits of Use of External Systems
Use of external systems can provide a number of benefits to organizations, including:
- Increased flexibility: Use of external systems can allow organizations to be more flexible in their operations. For example, employees can use external systems to work from anywhere or to access resources that are not available on the organization’s internal network.
- Reduced costs: Use of external systems can help organizations to reduce costs associated with hardware, software, and maintenance.
- Improved access to resources: Use of external systems can give organizations access to resources that they would not otherwise be able to access, such as cloud-based services and specialized applications.
How to Implement Use of External Systems
There are a number of ways to implement use of external systems. One common approach is to use a remote access solution, such as a virtual private network (VPN). VPNs allow users to create a secure connection to the organization’s internal network from anywhere in the world.
Another approach to implementing use of external systems is to use a cloud-based service. There are a number of cloud-based services that offer a variety of capabilities, such as storage, computing, and applications. Cloud-based services can be relatively easy to implement and use.
Example of Use of External Systems
One example of use of external systems is when an employee uses their personal laptop to connect to their employer’s VPN in order to access resources on the employer’s internal network. This allows the employee to work from anywhere and to access resources that they would not be able to access without using the VPN.
Another example of use of external systems is when an organization uses a cloud-based service to store customer data. This allows the organization to save money on hardware and maintenance costs, and it also gives the organization access to resources that it would not be able to access without using a cloud-based service.
Conclusion
RMF Control AC-20: Use of External Systems is an important cybersecurity control that helps to protect information systems by limiting the use of external systems to access or process organization-controlled information. By following the RMF Control AC-20: Use of External Systems requirements and best practices, organizations can help to improve their security posture, reduce the risk of data breaches, and increase user awareness.
Additional Tips for Implementing and Enforcing Use of External Systems
- Use a centralized system to manage use of external systems policies and procedures. This will help to ensure that use of external systems is implemented and enforced consistently across the organization.
- Implement a risk-based approach to use of external systems. This will help to ensure that use of external systems efforts are focused on the areas of greatest risk.
- Monitor and audit the use of external systems to identify and respond to suspicious activity. This can be done using a variety of tools and techniques, such as security information and event management (SIEM) solutions and intrusion detection systems (IDS).
- Educate users on the importance of security when using external systems and how to protect organization-controlled information. This can be done through training programs, documentation, and other resources.
By following these tips, organizations can help to ensure that their use of external systems is implemented and enforced effectively.