CCI-003149

The organization employs organization-defined security safeguards to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests.

Implementation Guidance

The organization being inspected/assessed employs the security safeguards defined in SA-9 (4), CCI 3150 to ensure that the interests of all external service providers from whom services are solicited are consistent with and reflect organizational interests. The organization must maintain records of safeguard review. DoD has defined the external service providers as all external service providers from whom services are solicited.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines a list of external service providers as well as records of safeguard review to ensure the organization being inspected/assessed employs the security safeguards defined in SA-9 (4), CCI 3150 to ensure that the interests of all external service providers from whom services are solicited are consistent with and reflect organizational interests. DoD has defined the external service providers as all external service providers from whom services are solicited.

Compelling Evidence

1.) System security plan (SSP) will define security safeguards to ensure interests of external service providers are consistent with and reflect organizational interests.

The controls below (if any) were marked by NIST as being related to CCI-003149.