CCI-003143

Require providers of organization-defined external system services to identify the functions, ports, protocols, and other services required for the use of such services.

Implementation Guidance

Determine if providers of [SA-09(02)_ODP; external system services that require the identification of functions, ports, protocols, and other services are defined] are required to identify the functions, ports, protocols, and other services required for the use of such services.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; supply chain risk management policy and procedures; procedures addressing external system services; acquisition contracts for the system, system component, or system service; acquisition documentation; solicitation documentation; service level agreements; organizational security requirements and security specifications for external service providers; list of required functions, ports, protocols, and other services; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system/network administrators; external providers of system services].

The controls below (if any) were marked by NIST as being related to CCI-003143.