CCI-003154

The organization defines the requirements or conditions on which to base restricting the location of information processing, information/data, and/or information system services to organization-defined locations.

Implementation Guidance

The organization being inspected/assessed defines and documents the requirements or conditions on which to base restricting the location of information processing, information/data, and/or information system services to organization-defined locations. Definitions should take into account regulatory guidelines in place to protect the data being stored or processed. DoD has determined the requirements or conditions are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented requirements or conditions to ensure the organization being inspected/assessed defines the requirements or conditions on which to base restricting the location of information processing, information/data, and/or information system services to organization-defined locations. DoD has determined the requirements or conditions are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP) will define the locations of information processing, information/data, and/or information system services to organization-defined locations based on organization-defined requirements or conditions.

The controls below (if any) were marked by NIST as being related to CCI-003154.