AC.L3-3.1.2e Organizationally Controlled Assets

Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.

Source: NIST SP 800-172 3.1.2e

Discussion: Information resources that are not owned, provisioned, or issued by the organization include systems or system components owned by other organizations and personally owned devices. Nonorganizational information resources present significant risks to the organization and complicate the ability to employ a “comply-to-connect” policy or implement component or device attestation techniques to ensure the integrity of the organizational system.

Assessment Objectives:

Determine if:

• [a] Information resources that are owned, provisioned, or issued by the organization are identified; and
• [b] Access to systems and system components is restricted to only those information resources that are owned, provisioned, or issued by the organization.

Examine: [SELECT FROM: Access control policy; procedures addressing the use of external systems; list of information resources owned, provisioned, or issued by the organization; security plan; system design documentation; system configuration settings and associated documentation; system connection or processing agreements; system audit records; account management documents; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel responsible for restricting or prohibiting the use of non-organizationally owned systems, system components, or devices; system and network administrators; organizational personnel responsible for system security].

Test: [SELECT FROM: Mechanisms implementing restrictions on the use of nonorganizationally owned systems, components, or devices].

SPRS Score: 1

POA&M Allowed: Yes