CCI-003150

Defines the actions taken to verify that the interests of organization-defined external service providers are consistent with and reflect organizational interests.

Implementation Guidance

Determine if [SA-09(04)_ODP[02]; actions to be taken to verify that the interests of external service providers are consistent with and reflect organizational interests are defined] are taken to verify that the interests of [SA-09(04)_ODP[01]; external service providers are defined] are consistent with and reflect organizational interests.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing external system services; acquisition contracts for the system, system component, or system service; solicitation documentation; acquisition documentation; service level agreements; organizational security requirements/safeguards for external service providers; personnel security policies for external service providers; assessments performed on external service providers; system security plan; supply chain risk management plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; external providers of system services; organizational personnel with supply chain risk management responsibilities]. Test: [SELECT FROM: Organizational processes for defining and employing safeguards to ensure consistent interests with external service providers; mechanisms supporting and/or implementing safeguards to ensure consistent interests with external service providers].

The controls below (if any) were marked by NIST as being related to CCI-003150.