myctrl.tools
Compare

PM-17Protecting Controlled Unclassified Information On External Systems

PRIVACY

>Control Description

a

Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and

b

Review and update the policy and procedures organization-defined frequency.

>Cross-Framework Mappings

SCF

DCH-13.3
Compare

>Supplemental Guidance

Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in 32 CFR 2002 and, specifically for systems external to the federal organization, 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes.

>Related Controls

CA-6
PM-10

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the use of multi-factor authentication across organizational systems?
  • How does the organization determine authentication requirements for different systems and user types?
  • Who is responsible for implementing and managing multi-factor authentication?
  • What is the process for granting exceptions to multi-factor authentication requirements?
  • What governance exists for ensuring consistent multi-factor authentication implementation?

Technical Implementation:

  • What multi-factor authentication technologies are deployed organization-wide?
  • How is MFA enforced across different systems and applications?
  • What centralized authentication services support MFA?
  • How are MFA policies and configurations managed centrally?
  • What reporting capabilities exist for MFA adoption and effectiveness?

Evidence & Documentation:

  • Provide organization-wide multi-factor authentication policy.
  • Provide evidence of MFA deployment across systems.
  • Provide MFA adoption metrics and compliance reports.
  • Provide documentation of MFA exception approvals.
  • Provide records of MFA technology evaluation and selection.

Ask AI

Configure your API key to use AI features.