NIST 800-53 r5 · Controls catalogue · Family AC

AC-20Use of External Systems

{{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: Access the system from external systems; and Process, store, or transmit organization-controlled information using external systems; or Prohibit the use of {{ insert: param, ac-20_odp.04 }}.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (64)

T1020.001 Traffic Duplication Exfiltration
T1021 Remote Services Lateral Movement
T1021.001 Remote Desktop Protocol Lateral Movement
T1021.004 SSH Lateral Movement
T1021.007 Cloud Services Lateral Movement
T1021.008 Direct Cloud VM Connections Lateral Movement
T1041 Exfiltration Over C2 Channel Exfiltration
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
T1052 Exfiltration Over Physical Medium Exfiltration
T1052.001 Exfiltration over USB Exfiltration
T1070.008 Clear Mailbox Data Stealth
T1072 Software Deployment Tools Execution, Lateral Movement
T1078.002 Domain Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
T1098.001 Additional Cloud Credentials Persistence, Privilege Escalation
T1098.002 Additional Email Delegate Permissions Persistence, Privilege Escalation
T1098.003 Additional Cloud Roles Persistence, Privilege Escalation
T1098.004 SSH Authorized Keys Persistence, Privilege Escalation
T1098.005 Device Registration Persistence, Privilege Escalation
T1110 Brute Force Credential Access
T1110.001 Password Guessing Credential Access
T1110.002 Password Cracking Credential Access
T1110.003 Password Spraying Credential Access
T1110.004 Credential Stuffing Credential Access
T1111 Multi-Factor Authentication Interception Credential Access
T1114 Email Collection Collection
T1114.001 Local Email Collection Collection
T1114.002 Remote Email Collection Collection
T1114.003 Email Forwarding Rule Collection
T1119 Automated Collection Collection
T1133 External Remote Services Persistence, Initial Access
T1134.005 SID-History Injection Stealth, Privilege Escalation
T1136 Create Account Persistence
T1136.001 Local Account Persistence
T1136.002 Domain Account Persistence
T1136.003 Cloud Account Persistence
T1200 Hardware Additions Initial Access
T1505.005 Terminal Services DLL Persistence
T1530 Data from Cloud Storage Collection
T1537 Transfer Data to Cloud Account Exfiltration
T1539 Steal Web Session Cookie Credential Access
T1550.001 Application Access Token Lateral Movement
T1552 Unsecured Credentials Credential Access
T1552.004 Private Keys Credential Access
T1552.005 Cloud Instance Metadata API Credential Access
T1555 Credentials from Password Stores Credential Access
T1556 Modify Authentication Process Defense Impairment, Persistence, Credential Access
T1556.001 Domain Controller Authentication Defense Impairment, Persistence, Credential Access

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-200`	Exposure of Sensitive Information to an Unauthorized Actor	10,204	Prevents unauthorized exposure of sensitive information by prohibiting untrusted external systems from processing or storing it.
`CWE-862`	Missing Authorization	8,680	Mandates authorization checks before permitting access or data processing via external systems.
`CWE-284`	Improper Access Control	4,832	Enforces rules governing access to the system and its data from external systems based on established trust relationships.
`CWE-863`	Incorrect Authorization	3,234	Ensures authorization decisions for external system use are correctly implemented and enforced.
`CWE-285`	Improper Authorization	1,230	Requires explicit authorization for individuals to use external systems to access or handle organization-controlled information.
`CWE-668`	Exposure of Resource to Wrong Sphere	779	Controls whether organization resources are exposed to external system spheres by permitting or prohibiting their use.
`CWE-653`	Improper Isolation or Compartmentalization	52	Defines isolation boundaries by specifying which external systems may access or process organization data.
`CWE-501`	Trust Boundary Violation	24	Establishes and maintains trust boundaries with external organizations before allowing their systems to interact with organization resources.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
`CVE-2025-34299`	6.1	9.8	0.6960	good
`CVE-2025-6514`	2.3	9.6	0.0617	partial
`CVE-2026-4851`	2.0	9.8	0.0009	partial

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-2 AC-21 AC-22 AC-23 AC-24 AC-25 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9