Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization requires providers of [Assignment: (M) all external systems where Federal information is processed or stored; (H) all external systems where Federal information is processed or stored] to identify the functions, ports, protocols, and other services required for the use of such services.
NIST 800-53 (r4) Supplemental Guidance:
Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions/services or blocking certain ports/protocols. Related control: CM-7.
NIST 800-53 (r5) Discussion:
Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols.
38North Guidance:
Meets Minimum Requirement:
Document the functions, ports, protocols, and services required to operate the system/application.
Best Practice:
As part of the risk assessment process to approve authorized vendor's or services, include a communication mechanism that allows for notifying a responsible party with the technical operations team (such as architecture, security, compliance, etc.) in order to document and maintain an active list of authorized/active functions, ports, protocols and services.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
Functions, Ports, Protocols, and Services List.
Change tickets documenting the updated functions, ports, protocols and services (to include the type of request, function/port/protocol/service being added, description of change, approver's name, and date of approval).
CSP Implementation Tips:
None.
Page updated
Report abuse