Skip to main content

πŸ’Ό SA-9 EXTERNAL INFORMATION SYSTEM SERVICES

Description​

The organization: SA-9a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; SA-9b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and SA-9c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.

Similar​

  • Internal
    • ID: dec-c-d6640165

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events77
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.AM-4: External information systems are catalogued
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization's cybersecurity program and Cyber Supply Chain Risk Management Plan
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations1619
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό SA-9 (1) RISK ASSESSMENTS _ ORGANIZATIONAL APPROVALS
πŸ’Ό SA-9 (2) IDENTIFICATION OF FUNCTIONS _ PORTS _ PROTOCOLS _ SERVICES
πŸ’Ό SA-9 (3) ESTABLISH _ MAINTAIN TRUST RELATIONSHIP WITH PROVIDERS
πŸ’Ό SA-9 (4) CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS
πŸ’Ό SA-9 (5) PROCESSING, STORAGE, AND SERVICE LOCATION