💼 SA-9 EXTERNAL INFORMATION SYSTEM SERVICES

• ID: /frameworks/nist-sp-800-53-r4/sa/09

Description

The organization: SA-9a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; SA-9b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and SA-9c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.

Similar

• Internal
  • ID: dec-c-d6640165

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 NIST CSF v1.1 → 💼 DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events		6	7		no data
💼 NIST CSF v1.1 → 💼 ID.AM-4: External information systems are catalogued					no data
💼 NIST CSF v1.1 → 💼 ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders					no data
💼 NIST CSF v1.1 → 💼 ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization's cybersecurity program and Cyber Supply Chain Risk Management Plan					no data
💼 NIST CSF v1.1 → 💼 ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations		15	19		no data
💼 NIST CSF v1.1 → 💼 PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities					no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 SA-9 (1) RISK ASSESSMENTS _ ORGANIZATIONAL APPROVALS					no data
💼 SA-9 (2) IDENTIFICATION OF FUNCTIONS _ PORTS _ PROTOCOLS _ SERVICES					no data
💼 SA-9 (3) ESTABLISH _ MAINTAIN TRUST RELATIONSHIP WITH PROVIDERS					no data
💼 SA-9 (4) CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS					no data
💼 SA-9 (5) PROCESSING, STORAGE, AND SERVICE LOCATION					no data