SA-09 External System Services

Baselines

Guidance

External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

References 5

• OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
• SP 800-35 Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35.
• SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
• SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
• SP 800-171 Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2.

Control Enhancements 8

• SA-09(01) Risk Assessments and Organizational Approvals L M H P
• SA-09(02) Identification of Functions, Ports, Protocols, and Services L M H P
• SA-09(03) Establish and Maintain Trust Relationship with Providers L M H P
• SA-09(04) Consistent Interests of Consumers and Providers L M H P
• SA-09(05) Processing, Storage, and Service Location L M H P
• SA-09(06) Organization-controlled Cryptographic Keys L M H P
• SA-09(07) Organization-controlled Integrity Checking L M H P
• SA-09(08) Processing and Storage Location — U.S. Jurisdiction L M H P

Related controls 12

• AC-20 Use of External Systems L M H P
• CA-03 Information Exchange L M H P
• CP-02 Contingency Plan L M H P
• IR-04 Incident Handling L M H P
• IR-07 Incident Response Assistance L M H P
• PL-10 Baseline Selection L M H P
• PL-11 Baseline Tailoring L M H P
• PS-07 External Personnel Security L M H P
• SA-02 Allocation of Resources L M H P
• SA-04 Acquisition Process L M H P
• SR-03 Supply Chain Controls and Processes L M H P
• SR-05 Acquisition Strategies, Tools, and Methods L M H P