SA-09 External Information System Services
System and Services Acquisition
Description
The organization: (i) requires that providers of external information system services employ adequate security controls in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, guidance, and established service-level agreements; and (ii) monitors security control compliance.
Supplemental Guidance
An external information system service is a service that is implemented outside of the accreditation boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system). Relationships with external service providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain exchanges. Ultimately, the responsibility for adequately mitigating risks to the organization’s operations and assets, and to individuals, arising from the use of external information system services remains with the authorizing official. Authorizing officials must require that an appropriate chain of trust be established with external service providers when dealing with the many issues associated with information system security. For services external to the organization, a chain of trust requires that the organization establish and retain a level of confidence that each participating service provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered to the organization. Where a sufficient level of trust cannot be established in the external services and/or service providers, the organization employs compensating security controls or accepts the greater degree of risk to its operations and assets, or to individuals. The external information system services documentation includes government, service provider, and end user security roles and responsibilities, and any service-level agreements. Service-level agreements define the expectations of performance for each required security control, describe measurable outcomes, and identify remedies and response requirements for any identified instance of non-compliance. NIST Special Publication 800-35 provides guidance on information technology security services. NIST Special Publication 800-64 provides guidance on the security considerations in the system development life cycle.
Changes from Rev 4
Title changed from 'External Information System Services' Control text adds ‘privacy’ and removes references to federal laws, Executive Orders, directives, etc. and to 'government' Changes parameter text 'security controls' to 'controls' Discussion updated to clarify that external system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness Incorporates external service provider elements of withdrawn App J control AR-03
Enhancements
(0) None.
MITRE ATT&CK Techniques (6)
ATT&CK v16.1Techniques mitigated by this control, mapped via CTID.