Navigate

CCI-003138

CCI-003138 Definition

The organization employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed implements the processes, methods, and techniques defined in SA-9, CCI 3139 to monitor security control compliance by external service providers on an ongoing basis. The organization must maintain records of monitoring.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the records of monitoring to ensure the organization being inspected/assessed implements the processes, methods, and techniques defined in SA-9, CCI 3139 to monitor security control compliance by external service providers on an ongoing basis.

Compelling Evidence

1.) System security plan (SSP) will define and document organization-defined processes, methods, and techniques for monitoring control compliance by external service providers on ongoing basis.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003138.

Control	Description
SA-9	The organization: SA-9a.: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; SA-9b.: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and SA-9c.: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.

Control

Description

SA-9

The organization:

SA-9a.: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

SA-9b.: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and

SA-9c.: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.