Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [FedRAMP Assignment: (H) terminations: immediately; transfers: within twenty-four (24) hours, (L) (M) organization-defined time period – same day]; and
e. Monitors provider compliance.
NIST 800-53 (r4) Supplemental Guidance
Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated.
Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21.
References: NIST Special Publication 800-35.
NIST 800-53 (r5) Discussion
External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.
Meets Minimum Requirement:
Document specific roles and associated security responsibilities for third-parties (e.g. contractors) supporting the system
Make available the security requirements third-parties are expected to adhere to and use some method to enforce adherence (e.g. contractor signature, contractual requirements, etc.)
Document the personnel security requirements applied to third-parties (e.g. background or security clearance requirements)
Explicitly require that third-party providers notify a designated individual(s) of transfers or terminations IAW the parameters established by system categorization
Have some mechanism for monitoring provider compliance
For external services that store, process or transmit federal data outside the system boundary, these external service providers must be FedRAMP-authorized
Review third-party access when conducting access reviews
Best Practice:
Require third-parties to adhere to a security standard (e.g. ISO 27k)
Include personnel security requirements in any contracts / Master Services Agreements with third-parties
Enforce identical security requirements for third-parties as applied to organizational personnel
Require third-party individuals to take system-specific training prior to granting system access
Conduct formal background investigations of third-parties prior to granting system access
Avoid granting third-parties highly-privileged access to the environment
Require third-parties to submit to security audits on demand
Require third-parties to submit security audit document
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review documented security requirements for third-parties
Review mechanisms in place to require third-parties to adhere to requirements
Review evidence that third-parties notify specific roles in the event of personnel transfer
Review evidence that third-parties are monitored for compliance
Review evidence that third-party access is reviewed concurrently with account reviews
Review acquisition contracts to ensure personnel security requirements are included in the documentation
CSP Implementation Tips:
AWS: Fully inherited
Azure: Fully inherited
GCP: Fully inherited
Page updated
Report abuse