Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: (M) (H) all external systems where Federal information is processed or stored] are consistent with and reflect organizational interests.
NIST 800-53 (r4) Supplemental Guidance:
As organizations increasingly use external service providers, the possibility exists that the interests of the service providers may diverge from organizational interests. In such situations, simply having the correct technical, procedural, or operational safeguards in place may not be sufficient if the service providers that implement and control those safeguards are not operating in a manner consistent with the interests of the consuming organizations. Possible actions that organizations might take to address such concerns include, for example, requiring background checks for selected service provider personnel, examining ownership records, employing only trustworthy service providers (i.e., providers with which organizations have had positive experiences), and conducting periodic/unscheduled visits to service provider facilities.
NIST 800-53 (r5) Discussion:
As organizations increasingly use external service providers, it is possible that the interests of the service providers may diverge from organizational interests. In such situations, simply having the required technical, management, or operational controls in place may not be sufficient if the providers that implement and manage those controls are not operating in a manner consistent with the interests of the consuming organizations. Actions that organizations take to address such concerns include requiring background checks for selected service provider personnel; examining ownership records; employing only trustworthy service providers, such as providers with which organizations have had successful trust relationships; and conducting routine, periodic, unscheduled visits to service provider facilities.
38North Guidance:
Meets Minimum Requirement:
Ensure to employ the security safeguards of federal customers and/or service providers as stated per contracts and service level agreements.
Best Practice:
None.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
Evidence showing security safeguards are in place to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests.
CSP Implementation Tips:
Amazon Web Services (AWS): None.
Page updated
Report abuse