STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

PM-17

Program ManagementRev 5organization

Protecting Controlled Unclassified Information on External Systems

Baselines:Privacy

Control Statement

a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and b. Review and update the policy and procedures [Assignment: organization-defined frequency].

Supplemental Guidance

Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) and, specifically for systems external to the federal organization, [32 CFR 2002.14h](https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/xml/CFR-2017-title32-vol6-part2002.xml) . The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes.

Related Controls (2)

CA-6PM-10

CCI Identifiers (6)

CCI-004368Review and update the policy for Controlled Unclassified Information on an organization-defined frequency.CCI-004366Establish policy to ensure that the requirements for the protection of Controlled Unclassified Information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, Executive Orders, directives, policies, regulations, and standards.CCI-004367Establish procedures to ensure that the requirements for the protection of Controlled Unclassified Information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, Executive Orders, directives, policies, regulations, and standards.CCI-004369Defines the frequency in which the policy for Controlled Unclassified information is reviewed and updated.CCI-004370Review and update the procedures for Controlled Unclassified Information on an organization-defined frequency.CCI-004371Defines the frequency in which the procedures for Controlled Unclassified information is reviewed and updated.

Linked STIG Checks (0)

No STIG checks reference this control.