CMMC Requirement AC.L3-3.1.2E – Organizationally Controlled Assets: Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.
Links to Publicly Available Resources – Coming Soon
Information resources that are not owned, provisioned, or issued by the organization include systems or system components owned by other organizations and personally owned devices. Non-organizational information resources present significant risks to the organization and complicate the ability to employ a “comply-to-connect” policy or implement component or device attestation techniques to ensure the integrity of the organizational system.
Further Discussion
Implementing this requirement ensures that an organization has control over the systems that can connect to organizational assets. This control will allow more effective and efficient application of security policy. The terms “has control over” provides policy for systems that are not owned outright by the organization. Control includes policies, regulations or standards that are enforced on the resource accessing contractor systems. Control may also be exercised through contracts or agreements with the external party. Provisioned includes setting configuration, whether through direct technical means or by policy or agreement. For purposes of this requirement, GFE can be considered provisioned by the OSA.