SA-9: External System Services
Control Family:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- SA-9: External Information System Services
Control Statement
- Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls];
- Define and document organizational oversight and user roles and responsibilities with regard to external system services; and
- Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [Assignment: organization-defined processes, methods, and techniques].
Supplemental Guidance
External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.
Control Enhancements
SA-9(1): Risk Assessments and Organizational Approvals
Baseline(s):
Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
SA-9(2): Identification of Functions, Ports, Protocols, and Services
Baseline(s):
- Moderate
- High
Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services].
SA-9(3): Establish and Maintain Trust Relationship with Providers
Baseline(s):
Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: [Assignment: organization-defined security and privacy requirements, properties, factors, or conditions defining acceptable trust relationships].
SA-9(4): Consistent Interests of Consumers and Providers
Baseline(s):
Take the following actions to verify that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests: [Assignment: organization-defined actions].
SA-9(5): Processing, Storage, and Service Location
Baseline(s):
Restrict the location of [Assignment (one or more): information processing, information or data, system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions].
SA-9(6): Organization-controlled Cryptographic Keys
Baseline(s):
Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.
SA-9(7): Organization-controlled Integrity Checking
Baseline(s):
Provide the capability to check the integrity of information while it resides in the external system.
SA-9(8): Processing and Storage Location – U.s. Jurisdiction
Baseline(s):
Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States.