>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

03.01.20Use of External Systems

>Control Description

Prohibit the use of external systems unless the systems are specifically authorized. Establish the following security requirements to be satisfied on external systems prior to allowing use of or access to those systems by authorized individuals: organization-defined security requirements. Permit authorized individuals to use external systems to access the organizational system or to process, store, or transmit CUI only after: Verifying that the security requirements on the external systems as specified in the organization’s system security plans have been satisfied and Retaining approved system connection or processing agreements with the organizational entities hosting the external systems.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What documented policies and procedures address 03.01.20?
  • Who is accountable for implementing and maintaining 03.01.20 controls?
  • How frequently are 03.01.20 requirements reviewed, and what triggers updates?
  • What process ensures changes to systems maintain compliance with 03.01.20 requirements?
  • How are exceptions to 03.01.20 requirements documented and approved?

Technical Implementation:

  • What technical controls enforce 03.01.20 in your environment?
  • How are 03.01.20 controls configured and maintained across all systems?
  • What automated mechanisms support 03.01.20 compliance?
  • How do you validate that 03.01.20 implementations achieve their intended security outcome?
  • What compensating controls exist if primary 03.01.20 controls cannot be fully implemented?

Evidence & Documentation:

  • What documentation proves 03.01.20 is implemented and operating effectively?
  • Can you provide configuration evidence showing how 03.01.20 is technically enforced?
  • What audit logs or monitoring data demonstrate ongoing 03.01.20 compliance?
  • Can you show evidence of a recent review or assessment of 03.01.20 controls?
  • What artifacts would you provide during an assessment to demonstrate 03.01.20 compliance?

Ask AI

Configure your API key to use AI features.