Navigate

CCI-000674

CCI-000674 Definition

The organization documents user roles and responsibilities with regard to external information system services.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed must establish in the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc) the roles and responsibilities of all types of users of the external information system services.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the official documentation governing the provision of the external IT services (e.g. contract, MOU, MOA, SLA, etc) to confirm the organization has clearly established the roles and responsibilities of all types of users of the external information system services.

Compelling Evidence

1.) System security plan (SSP) must document user roles and responsibilities with regards to external information services (includes contracts, MOUs, MOAs, SLAs).

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000674.

Control	Description
SA-9	The organization: SA-9a.: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; SA-9b.: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and SA-9c.: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.

Control

Description

SA-9

The organization:

SA-9a.: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

SA-9b.: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and

SA-9c.: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.