IR-7 (2) Incident Response Assistance | Coordination with External Providers (M) (H)

NIST 800-53 (r4) Control:

The organization:

(a) Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and

(b) Identifies organizational incident response team members to the external providers.

NIST 800-53 (r4) Supplemental Guidance:

External providers of information system protection capability include, for example, the Computer Network Defense program within the U.S. Department of Defense. External providers help to protect, monitor, analyze, detect, and respond to unauthorized activity within organizational information systems and networks.

References: None.

NIST 800-53 (r5) Discussion:

External providers of a system protection capability include the Computer Network Defense program within the U.S. Department of Defense. External providers help to protect, monitor, analyze, detect, and respond to unauthorized activity within organizational information systems and networks. It may be beneficial to have agreements in place with external providers to clarify the roles and responsibilities of each party before an incident occurs.

38North Guidance:

Meets Minimum Requirement:

• Contact information for the incident response team (IRT) is provided to all external providers, (e.g. via agreements)

Best Practice:

• FedRAMP Incident Communications Procedure

Unofficial FedRAMP Guidance:

• TBD

Assessment Evidence:

• Correspondence (such as a contract, email, etc) showing that the organization has identified the organizational incident response team members to external providers.

CSP Implementation Tips:

• Amazon Web Services (AWS): Contact information for the IRT is provided to the provider in order to receive notifications of security breaches involving customer data.

• Microsoft Azure: Contact information for the IRT is provided to the provider in order to receive notifications of security breaches involving customer data.

• Google Cloud Platform: Contact information for the IRT is provided to the provider in order to receive notifications of security breaches involving customer data.