CCI-004793

Restrict the geographic location of information processing and data storage to facilities located within the legal jurisdictional boundary of the United States.

Implementation Guidance

Determine if the geographic location of information processing and data storage is restricted to facilities located within the legal jurisdictional boundary of the United States.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing external system services; acquisition contracts for the system, system component, or system service; solicitation documentation; acquisition documentation; service level agreements; procedures addressing determining jurisdiction restrictions for processing and storage location; information/data and/or system services; organizational security requirements or conditions for external providers; system security plan; supply chain risk management plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organization personnel with supply chain risk management responsibilities; external providers of system services]. Test: [SELECT FROM: Organizational processes restricting external system service providers to process and store information within the legal jurisdictional boundary of the United States].

The controls below (if any) were marked by NIST as being related to CCI-004793.