Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:
- Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or
- Retention of approved system connection or processing agreements with the organizational entity hosting the external system.
Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations.