SA-9(5): Processing, Storage, and Service Location


(Not part of any baseline)

Previous Version:

Control Statement

Restrict the location of [Assignment (one or more): information processing, information or data, system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions].

Supplemental Guidance

The location of information processing, information and data storage, or system services can have a direct impact on the ability of organizations to successfully execute their mission and business functions. The impact occurs when external providers control the location of processing, storage, or services. The criteria that external providers use for the selection of processing, storage, or service locations may be different from the criteria that organizations use. For example, organizations may desire that data or information storage locations be restricted to certain locations to help facilitate incident response activities in case of information security or privacy incidents. Incident response activities, including forensic analyses and after-the-fact investigations, may be adversely affected by the governing laws, policies, or protocols in the locations where processing and storage occur and/or the locations from which system services emanate.