Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization:
(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
(b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
NIST 800-53 (r4) Supplemental Guidance:
Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3.
NIST 800-53 (r5) Discussion:
Information security services include the operation of security devices, such as firewalls or key management services as well as incident monitoring, analysis, and response. Risks assessed can include system, mission or business, security, privacy, or supply chain risks.
38North Guidance:
Meets Minimum Requirement:
Develop and implement a process to review all external vendors/contractors/suppliers of IT services to the CSP.
Perform a risk assessment for all vendors/contractors/suppliers and document the results (to include the vendor's name; nature of service or products being supplied; data/information shared; risks and controls to alleviate risks).
Assign a role to review and approve all authorized vendors/contractors/suppliers.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Sample of security control assessments performed on providers of external information system services. Evidence to show external information system and service providers meet [FedRAMP Assignment: FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Approvals of the external information system or services.
Risk assessment and results performed for managing vendors.
Provide a list of authorized vendor's.
SLAs/contracts with vendors.
Business Impact Analysis (BIA).
CSP Implementation Tips:
None
Page updated
Report abuse