AC-20(1): Limits on Authorized Use

Control Family:

Access Control

CSF v1.1 References:

Threats Addressed:


  • Moderate
  • High

Previous Version:

Control Statement

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:

  1. Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or
  2. Retention of approved system connection or processing agreements with the organizational entity hosting the external system.

Supplemental Guidance

Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations.