NIST 800-53 REV 5 • ACCESS CONTROL
AC-20(1) — Limits on Authorized Use
Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after: Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or Retention of approved system connection or processing agreements with the organizational entity hosting the external system.
Supplemental Guidance
Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations.
Practitioner Notes
Set specific limits on how authorized external systems can be used — what data they can access, what actions they can perform, and what security requirements they must meet.
Example 1: In your interconnection agreements (ISAs), specify exactly what data the external system can access, the maximum classification level, and the required security controls. Review these limits annually and whenever the external system's accreditation changes.
Example 2: Configure Azure AD B2B guest access with conditional access policies that limit external users to specific applications and apply session restrictions (no download, no print). Under Cross-tenant access settings, define which partner tenants can access your resources and which apps they can reach.