CCI-003153

Defines the locations for which to restrict information processing, information or data, and/or system services based on organization-defined requirements or conditions.

Implementation Guidance

Determine if based on [SA-09(05)_ODP[03]; requirements or conditions for restricting the location of [SA-09(05)_ODP[01]; one or more of the following PARAMETER VALUES is/are selected: {information processing; information or data; system services}] are defined] is/are restricted to [SA-09(05)_ODP[02]; locations where [SA-09(05)_ODP[01]; one or more of the following PARAMETER VALUES is/are selected: {information processing; information or data; system services}] is/are to be restricted are defined].

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing external system services; acquisition contracts for the system, system component, or system service; solicitation documentation; acquisition documentation; service level agreements; restricted locations for information processing; information/data and/or system services; information processing, information/data, and/or system services to be maintained in restricted locations; organizational security requirements or conditions for external providers; system security plan; supply chain risk management plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; external providers of system services; organizational personnel with supply chain risk management responsibilities]. Test: [SELECT FROM: Organizational processes for defining the requirements to restrict locations of information processing, information/data, or information services; organizational processes for ensuring the location is restricted in accordance with requirements or conditions].

The controls below (if any) were marked by NIST as being related to CCI-003153.