Navigate

CCI-000669

CCI-000669 Definition

The organization requires that providers of external information system services comply with organizational information security requirements.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents within contracts/agreements, requirements that providers of external information system services comply with any organization-specific information security requirements.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that providers of external information system services comply with any organization-specific information security requirements.

Compelling Evidence

1.) System security plan (SSP). 2.) Design documentation must contain information system security requirements to be adhered to be external information services

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000669.

Control	Description
SA-9	The organization: SA-9a.: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; SA-9b.: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and SA-9c.: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.

Control

Description

SA-9

The organization:

SA-9a.: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

SA-9b.: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and

SA-9c.: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.