CP-8 (3) Telecommunications Services | Separation of Primary / Alternate Providers (H)

NIST 800-53 (r4) Control:

The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

NIST 800-53 (r4) Supplemental Guidance:

Threats that affect telecommunications services are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber/physical attacks, and errors of omission/commission. Organizations seek to reduce common susceptibilities by, for example, minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment.

NIST 800-53 (r5) Discussion:

Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services that meet the separation needs addressed in the risk assessment.

38North Guidance:

Meets Minimum Requirement:

• The alternate communications service provider must be different than the primary communications service provider. The organization must ensure there is sufficient physical separation to reduce the likelihood of natural disasters, civil unrest, power outages, or physical network outages affecting both regions at once.

Best Practice:

• TBD.

Unofficial FedRAMP Guidance: None.

Assessment Evidence:

• SLA of telecommunications services that include an alternate and primary site location that are geographically located in different regions/areas.

• Evidence of telecommunications service providers if there are two different communications services (if applicable).

CSP Implementation Tips:

• Amazon Web Services (AWS): TBD

• Microsoft Azure: TBD

• Google Cloud Platform: TBD