Navigate

CCI-003139

CCI-003139 Definition

The organization defines processes, methods, and techniques to employ to monitor security control compliance by external service providers on an ongoing basis.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed defines and documents processes, methods, and techniques to employ to monitor security control compliance by external service providers on an ongoing basis. DoD has determined the processes, methods, and techniques are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented processes, methods, and techniques to ensure the organization being inspected/assessed defines processes, methods, and techniques to employ to monitor security control compliance by external service providers on an ongoing basis.

Compelling Evidence

1.) System security plan (SSP) will define and document organization-defined processes, methods, and techniques for monitoring control compliance by external service providers on ongoing basis.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003139.

Control	Description
SA-9	The organization: SA-9a.: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; SA-9b.: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and SA-9c.: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.

Control

Description

SA-9

The organization:

SA-9a.: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

SA-9b.: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and

SA-9c.: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.