Control statement
a. {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:
1. Access the system from external systems; and
2. Process, store, or transmit organization-controlled information using external systems; or
b. Prohibit the use of {{ insert: param, ac-20_odp.04 }}.
Guidance: The interrelated controls of AC-20, CA-3, and SA-9 should be differentiated as follows:
AC-20 describes system access to and from external systems.
CA-3 describes documentation of an agreement between the respective system owners when data is exchanged between the CSO and an external system.
SA-9 describes the responsibilities of external system owners. These responsibilities would typically be captured in the agreement required by CA-3. Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is
preserved in the catalog database.
Covered by these Key Security Indicators
| KSI | Title | Category |
|---|---|---|
| KSI-IAM-05 | Least Privilege _Persistently_ ensure that identity and access management employs measures to ensure each user or device can only access the resources they need. | Identity and Access Management |
| KSI-TPR-03 | Supply Chain Risk Management _Persistently_ identify, review, and mitigate potential supply chain risks. | Third-Party Information Resources |
| KSI-TPR-04 | Supply Chain Risk Monitoring Automatically monitor third party software _information resources_ for upstream vulnerabilities using mechanisms that may include contractual notification requirements or active monitoring services. | Third-Party Information Resources |