An external information system is
|“||an information system or component of an information system that is outside of the authorization boundary established by a government organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.||”|
NIST Special Publication 800-37 and NIST Special Publication 800-53 provide additional guidance on external information systems and the effect of employing security controls in those types of environments.
- ↑ NIST Special Publication 800-53, App. B, Glossary. Note: The term external should not be interpreted as or equated to meaning physically external. A distributed system will have elements that are physically/geographically distributed while being logically within the same authorization boundary. NIST Special Publication 800-160, at B-5.