CCI-003153

The organization defines the locations for which to restrict information processing, information/data, and/or information system services based on organization-defined requirements or conditions.

Implementation Guidance

The organization being inspected/assessed defines and documents the locations to restrict information processing, information/data, and/or information system services based on organization-defined requirements or conditions. Definitions should take into account regulatory guidelines in place to protect the data being stored or processed. DoD has determined the location is not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented locations to ensure the organization being inspected/assessed defines the locations to restrict information processing, information/data, and/or information system services based on organization-defined requirements or conditions. DoD has determined the location is not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP) will define the locations of information processing, information/data, and/or information system services to organization-defined locations based on organization-defined requirements or conditions.

The controls below (if any) were marked by NIST as being related to CCI-003153.