Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization restricts the location of [Selection (one or more): (M) information processing; information/data; information system services; (H) information processing, information data, AND information services] to [Assignment: (M) organization-defined locations; (H) U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction] based on [Assignment: (M) organization-defined requirements or conditions; (H) all High impact data, systems, or services].
NIST 800-53 (r4) Supplemental Guidance:
The location of information processing, information/data storage, or information system services that are critical to organizations can have a direct impact on the ability of those organizations to successfully execute their missions/business functions. This situation exists when external providers control the location of processing, storage or services. The criteria external providers use for the selection of processing, storage, or service locations may be different from organizational criteria. For example, organizations may want to ensure that data/information storage locations are restricted to certain locations to facilitate incident response activities (e.g., forensic analyses, after-the-fact investigations) in case of information security breaches/compromises. Such incident response activities may be adversely affected
by the governing laws or protocols in the locations where processing and storage occur and/or the locations from which information system services emanate.
NIST 800-53 (r5) Discussion:
The location of information processing, information and data storage, or system services can have a direct impact on the ability of organizations to successfully execute their mission and business functions. The impact occurs when external providers control the location of processing, storage, or services. The criteria that external providers use for the selection of processing, storage, or service locations may be different from the criteria that organizations use. For example, organizations may desire that data or information storage locations be restricted to certain locations to help facilitate incident response activities in case of information security incidents or breaches. Incident response activities, including forensic analyses and after-the-fact investigations, may be adversely affected by the governing laws, policies, or protocols in the locations where processing and storage occur and/or the locations from which system services emanate.
38North Guidance:
Meets Minimum Requirement:
Ensure that the organization defines restrictions for the locations for processing, storage and service of information/data.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Evidence to show the organization restricts the location of one or more of the following to organization-defined locations based on organization-defined requirements or conditions:
information processing;
information/data; and/or
information services.
CSP Implementation Tips:
None
Page updated
Report abuse