CCI-000670

The organization requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

Implementation Guidance

The organization being inspected/assessed documents within contracts/agreements, the requirement that providers of external information system services employ security controls defined in CNSSI 1253. DoD has defined the security controls as security controls defined by CNSSI 1253.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that providers of external information system services employ security controls defined in CNSSI 1253. DoD has defined the security controls as security controls defined by CNSSI 1253.

Compelling Evidence

1.) System security plan (SSP). 2.) Design documentation must contain requirements that external information system services employ organization defined security controls that are in accordance with laws and regulations.

The controls below (if any) were marked by NIST as being related to CCI-000670.