External information system

An external information system is an information system or component of an information system that is outside of the authorization boundary established by a government organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. NIST Special Publication 800-37 and NIST Special Publication 800-53 provide additional guidance on external information systems and the effect of employing security controls in those types of environments.