Question 1

What is NIST 800-53 AC-20 (Use of External Systems)?

Accepted Answer

AC-20 is about controlling how external systems connect to or interact with your organizational system and data. I focus on making sure you establish terms and conditions that match the trust relationship, prohibit unauthorized connections, and monitor external use. You also need to document each external connection—interfaces, security requirements, and what information is shared.

Question 2

What counts as an “external system” under AC-20?

Accepted Answer

An external system is used by your organization but it’s not part of your system and you don’t have direct control over the required controls. That can include personally owned devices, contractor-managed systems, non-federal systems, or even another system in the same company with a different authorization boundary. The key is the lack of direct control and the boundary/trust relationship.

Question 3

How do I test or assess AC-20 during a Security Control Assessment (SCA)?

Accepted Answer

When I assess AC-20, I start by examining the SSP and the access control policy and procedures to see what external entities are permitted. Then I verify you have the right interconnection paperwork—SLA, MOU/MOA, and an ISA/connection security agreement—spelling out the security requirements. A lot of the time, assessors reference CA-3 for the actual interconnection testing.

Question 4

What documents are required for AC-20 interconnections (SLA, MOU, ISA)?

Accepted Answer

If an external entity is connecting to your system (or you’re connecting to theirs), you need to spell out the security measures up front. That’s where the SLA, the MOU/MOA, and the Interconnection Security Agreement come in. I look for clear security requirements, interface details, and what data is being exchanged.

Question 5

Is AC-20 applicable if my system has no interconnections?

Accepted Answer

If your system has no interconnections with other systems, AC-20 may end up being not applicable in practice. I still want you to be clear in your SSP and policies, but without external connections there may be nothing to test. This is something I see often during assessments.

Question 6

Does AC-20 apply to public-facing systems and public interfaces?

Accepted Answer

No—external systems used to access public interfaces are outside the scope of AC-20. If your system is designed to serve the public through a public-facing interface, AC-20 isn’t meant to restrict that public access path. The control is focused on external systems accessing organizational systems in a trust/authorization context.

Question 7

Why do assessors often map AC-20 testing to CA-3?

Accepted Answer

Because interconnections are heavily covered under CA-3, and in real assessment spreadsheets you’ll often see AC-20 marked as “refer to CA-3.” The detailed testing usually happens where the interconnection is evaluated end-to-end. So AC-20 becomes more about ensuring the terms, conditions, and documentation exist and align.

Episode 17_USE OF EXTERNAL SYSTEMS_ (AC-20)

🛍️ Products Mentioned (4)

Official NIST publications, standards, and guidance

Official KamilSec branded designs and apparel

PayPal

*Patreon & Channel Support*******

About This Video

Frequently Asked Questions

🎬 More from KamilSec