Navigate

CCI-000671

CCI-000671 Definition

The organization defines government oversight with regard to external information system services.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed must define in the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc) the government oversight to be conducted on external information system services and service provider.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc) to confirm the organization has clearly defined the government oversight to be conducted on external information system services and service providers.

Compelling Evidence

1.) System security plan (SSP) must define how government oversight is implemented with regards to external information services (includes contracts, MOUs, MOAs, SLAs).

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000671.

Control	Description
SA-9	The organization: SA-9a.: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; SA-9b.: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and SA-9c.: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.

Control

Description

SA-9

The organization:

SA-9a.: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

SA-9b.: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and

SA-9c.: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.