AC-20(3)—Non-Organizationally Owned Systems -- Restricted Use
>Control Description
Devices that do not belong to the enterprise (e.g., bring your own device [BYOD] policies) increase the enterprise’s exposure to cybersecurity risks throughout the supply chain. This includes devices used by suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers. Enterprises should review the use of non-enterprise devices by non-enterprise personnel and make a risk-based decision as to whether it will allow the use of such devices or furnish devices. Enterprises should furnish devices to those nonenterprise personnel who present unacceptable levels of risk.
>Cross-Framework Mappings
Ask AI
Configure your API key to use AI features.