← Back to catalog
SA-9

External System Services

System and Services Acquisition (SA)
Baselines
Low · IncludedModerate · IncludedHigh · Included
Description

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [assignment]; Define and document organizational oversight and user roles and responsibilities with regard to external system services; and Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [assignment].

Discussion

External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

Implementation guidance

No content available.

CSF 2.0 crosswalk
DE.CM-06External service provider activities and services are monitored to find potentially adverse eventsDetect
GV.OC-05Outcomes, capabilities, and services that the organization depends on are understood and communicatedGovern
GV.SC-04Suppliers are known and prioritized by criticalityGovern
GV.SC-05Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third partiesGovern
GV.SC-06Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationshipsGovern
GV.SC-07The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationshipGovern
GV.SC-08Relevant suppliers and other third parties are included in incident planning, response, and recovery activitiesGovern
GV.SC-09Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycleGovern
GV.SC-10Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreementGovern
ID.AM-02Inventories of software, services, and systems managed by the organization are maintainedIdentify
ID.AM-04Inventories of services provided by suppliers are maintainedIdentify