NIST 800-53 AC-20 Mappings

External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).

For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.

External systems used to access public interfaces to organizational systems are outside the scope of AC-20. Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-20 Use of External Systems Protects T1021.004 SSH
AC-20 Use of External Systems Protects T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
AC-20 Use of External Systems Protects T1052 Exfiltration Over Physical Medium
AC-20 Use of External Systems Protects T1052.001 Exfiltration over USB
AC-20 Use of External Systems Protects T1078.002 Domain Accounts
AC-20 Use of External Systems Protects T1098.002 Additional Email Delegate Permissions
AC-20 Use of External Systems Protects T1110.001 Password Guessing
AC-20 Use of External Systems Protects T1110.002 Password Cracking
AC-20 Use of External Systems Protects T1110.003 Password Spraying
AC-20 Use of External Systems Protects T1110.004 Credential Stuffing
AC-20 Use of External Systems Protects T1114.001 Local Email Collection
AC-20 Use of External Systems Protects T1119 Automated Collection
AC-20 Use of External Systems Protects T1134.005 SID-History Injection
AC-20 Use of External Systems Protects T1136.002 Domain Account
AC-20 Use of External Systems Protects T1505.005 Terminal Services DLL
AC-20 Use of External Systems Protects T1537 Transfer Data to Cloud Account
AC-20 Use of External Systems Protects T1556.001 Domain Controller Authentication
AC-20 Use of External Systems Protects T1556.003 Pluggable Authentication Modules
AC-20 Use of External Systems Protects T1556.004 Network Device Authentication
AC-20 Use of External Systems Protects T1557.002 ARP Cache Poisoning
AC-20 Use of External Systems Protects T1565 Data Manipulation
AC-20 Use of External Systems Protects T1565.001 Stored Data Manipulation
AC-20 Use of External Systems Protects T1565.002 Transmitted Data Manipulation
AC-20 Use of External Systems Protects T1567.001 Exfiltration to Code Repository
AC-20 Use of External Systems Protects T1567.002 Exfiltration to Cloud Storage
AC-20 Use of External Systems Protects T1583.007 Serverless
AC-20 Use of External Systems Protects T1584.004 Server
AC-20 Use of External Systems Protects T1602 Data from Configuration Repository
AC-20 Use of External Systems Protects T1602.001 SNMP (MIB Dump)
AC-20 Use of External Systems Protects T1602.002 Network Device Configuration Dump
AC-20 Use of External Systems Protects T1557 Adversary-in-the-Middle
AC-20 Use of External Systems Protects T1552.004 Private Keys
AC-20 Use of External Systems Protects T1550.001 Application Access Token
AC-20 Use of External Systems Protects T1530 Data from Cloud Storage
AC-20 Use of External Systems Protects T1114.003 Email Forwarding Rule
AC-20 Use of External Systems Protects T1111 Multi-Factor Authentication Interception
AC-20 Use of External Systems Protects T1098.001 Additional Cloud Credentials
AC-20 Use of External Systems Protects T1200 Hardware Additions
AC-20 Use of External Systems Protects T1136 Create Account
AC-20 Use of External Systems Protects T1114 Email Collection
AC-20 Use of External Systems Protects T1110 Brute Force
AC-20 Use of External Systems Protects T1041 Exfiltration Over C2 Channel
AC-20 Use of External Systems Protects T1133 External Remote Services
AC-20 Use of External Systems Protects T1021.001 Remote Desktop Protocol
AC-20 Use of External Systems Protects T1114.002 Remote Email Collection
AC-20 Use of External Systems Protects T1567 Exfiltration Over Web Service
AC-20 Use of External Systems Protects T1556 Modify Authentication Process
AC-20 Use of External Systems Protects T1552 Unsecured Credentials
AC-20 Use of External Systems Protects T1070.008 Clear Mailbox Data
AC-20 Use of External Systems Protects T1048 Exfiltration Over Alternative Protocol
AC-20 Use of External Systems Protects T1578.005 Modify Cloud Compute Configurations
AC-20 Use of External Systems Protects T1021.008 Direct Cloud VM Connections
AC-20 Use of External Systems Protects T1021.007 Cloud Services
AC-20 Use of External Systems Protects T1555 Credentials from Password Stores
AC-20 Use of External Systems Protects T1552.005 Cloud Instance Metadata API
AC-20 Use of External Systems Protects T1078.004 Cloud Accounts
AC-20 Use of External Systems Protects T1072 Software Deployment Tools
AC-20 Use of External Systems Protects T1020.001 Traffic Duplication
AC-20 Use of External Systems Protects T1021 Remote Services
AC-20 Use of External Systems Protects T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
AC-20 Use of External Systems Protects T1098.003 Additional Cloud Roles
AC-20 Use of External Systems Protects T1098.004 SSH Authorized Keys
AC-20 Use of External Systems Protects T1098.005 Device Registration
AC-20 Use of External Systems Protects T1136.001 Local Account
AC-20 Use of External Systems Protects T1136.003 Cloud Account
AC-20 Use of External Systems Protects T1539 Steal Web Session Cookie