Skip to main content

πŸ’Ό SA-9 External System Services

Description​

a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; b. Define and document organizational oversight and user roles and responsibilities with regard to external system services; and c. Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [Assignment: organization-defined processes, methods, and techniques].

Similar​

  • Internal
    • ID: dec-c-3a9e6bd1

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SA-9 External System Services (L)(M)(H)31
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SA-9 External System Services (L)(M)(H)
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events27
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated4
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-04: Suppliers are known and prioritized by criticality7
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities1
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained7
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-04: Inventories of services provided by suppliers are maintained

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό SA-9(1) External System Services _ Risk Assessments and Organizational Approvals
πŸ’Ό SA-9(2) External System Services _ Identification of Functions, Ports, Protocols, and Services
πŸ’Ό SA-9(3) External System Services _ Establish and Maintain Trust Relationship with Providers
πŸ’Ό SA-9(4) External System Services _ Consistent Interests of Consumers and Providers
πŸ’Ό SA-9(5) External System Services _ Processing, Storage, and Service Location11
πŸ’Ό SA-9(6) External System Services _ Organization-controlled Cryptographic Keys
πŸ’Ό SA-9(7) External System Services _ Organization-controlled Integrity Checking
πŸ’Ό SA-9(8) External System Services _ Processing and Storage Location β€” U.S. Jurisdiction