Show/Hide Toolbars

ABCI Consultants

Guidance for NIST 800-171 Assessment & Compliance

Navigation: SA-FAMILY: SYSTEM AND SERVICES ACQUISITION

SA-9(5) EXTERNAL INFORMATION SYSTEM SERVICES  |  PROCESSING, STORAGE, AND SERVICE LOCATION
Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

 

 

 

 

 

 

 

 

 

 

 

 

###

sa-9(5)

external information system services  | processing, storage, and service location

 

assessment objective:

Determine if the organization:

sa-9(5)[1]

defines locations where organization-defined information processing, information/data, and/or information system services are to be restricted;

sa-9(5)[2]

defines requirements or conditions to restrict the location of information processing, information/data, and/or information system services;

sa-9(5)[3]

restricts the location of one or more of the following to organization-defined locations based on organization-defined requirements or conditions:

sa-9(5)[3][a]

information processing;

sa-9(5)[3][b]

information/data; and/or

sa-9(5)[3][c]

information services.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing external information system services; acquisition contracts for the information system, system component, or information system service; solicitation documentation; acquisition documentation; service-level agreements; restricted locations for information processing; information/data and/or information system services; information processing, information/data, and/or information system services to be maintained in restricted locations; organizational security requirements or conditions for external providers; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; external providers of information system services].

Test: [select from: Organizational processes for defining requirements to restrict locations of information processing, information/data, or information services; organizational processes for ensuring the location is restricted in accordance with requirements or conditions].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056