Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: (L) (M) (H) FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: (L) (M) (H) Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored] to monitor security control compliance by external service providers on an ongoing basis.
NIST 800-53 (r4) Supplemental Guidance:
External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7.
NIST 800-53 (r5) Discussion:
External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.
38North Guidance:
Meets Minimum Requirement:
SA-9.a (L) (M) (H) must implement FedRAMP security controls baselines as appropriate for the information system/service
SA-9.b define and document the roles and responsibilities of the stakeholders providing oversight (e.g., identify the Agency and any POCs from the Agency that will be the focal points of contacts or an external vendor that is providing the service).
SA-9.c must develop and employ continuous monitoring requirements as part of CA-7. Continuous monitoring plans that demonstrate that continuous monitoring requirements are employed for external systems where customer information is processed or stored to monitor security control compliance by external service providers on an ongoing basis.
Best Practice:
No
Unofficial FedRAMP Guidance:
For agency authorizations, FedRAMP PMO allows the use of new AWS services under "JAB Review", just as long as there is an SA-9 POA&M acknowledging the current status, all the other mandates are in place (e.g. encryption, mutli-factor authentication, etc).
Assessment Evidence:
External vendor approval process and a list of authorized vendors/contractors/suppliers (to include the vendor's name; nature of service or products being supplied; data/information shared; risks and controls to alleviate risks).
Process and documentation for communicating security requirements to the vendor/contractor/supplier (e.g., in contracts or a separate document).
Interconnection Security Agreements.
Sample of security control assessments performed on providers of external information system services. Evidence to show external information system and service providers meet [FedRAMP Assignment: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Approvals of the external information system or services.
Evidence to show the organization monitors security control compliance of external system and service providers.
CSP Implementation Tips:
None.
Page updated
Report abuse