Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-9

external information system services

assessment objective:

Determine if the organization:

sa-9(a)

sa-9(a)[1]

defines security controls to be employed by providers of external information system services;

sa-9(a)[2]

requires that providers of external information system services comply with organizational information security requirements;

sa-9(a)[3]

requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

sa-9(b)

sa-9(b)[1]

defines and documents government oversight with regard to external information system services;

sa-9(b)[2]

defines and documents user roles and responsibilities with regard to external information system services;

sa-9(c)

sa-9(c)[1]

defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers; and

sa-9(c)[2]

employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing external information system services; procedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services; acquisition contracts, service-level agreements; organizational security requirements and security specifications for external provider services; security control assessment evidence from external providers of information system services; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; external providers of information system services; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for monitoring security control compliance by external service providers on an ongoing basis; automated mechanisms for monitoring security control compliance by external service providers on an ongoing basis].