Control statement
Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:
(a) Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or
(b) Retention of approved system connection or processing agreements with the organizational entity hosting the external system. Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is
preserved in the catalog database.
Covered by these Key Security Indicators
| KSI | Title | Category |
|---|---|---|
| KSI-CNA-02 | Attack Surface _Persistently_ ensure _machine-based_ _information resources_ have a minimal attack surface and that lateral movement is minimized if compromised. | Cloud Native Architecture |
| KSI-IAM-04 | Just-in-Time Authorization Use a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services. | Identity and Access Management |
| KSI-IAM-05 | Least Privilege _Persistently_ ensure that identity and access management employs measures to ensure each user or device can only access the resources they need. | Identity and Access Management |
| KSI-MLA-01 | Security Information and Event Management (SIEM) Operate a Security Information and Event Management (SIEM) or similar system(s) for centralized, tamper-resistent logging of events, activities, and changes. | Monitoring, Logging, and Auditing |
| KSI-MLA-07 | Event Types Maintain a list of information resources and event types that will be monitored, logged, and audited, then do so. | Monitoring, Logging, and Auditing |