N
|
controlSA-9

External System Services (SA-9)

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [organization-defined]; Define and document organizational oversight and user roles and responsibilities with regard to external system services; and Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [organization-defined].

Security Baselines

LOWMODERATEHIGH
acquisitionsdlcservicessupply-chain

Why These Connect

Baselined In3

This control is included in the linked security baseline (LOW, MODERATE, or HIGH).

Supports37

These related controls work together — a change to one may affect the others.

Mitigates2

This control helps defend against or reduce the risk of the linked threat technique.

Enhances8

These enhancements add specific capabilities or refinements to the base control.

Related Controls(22)

AC-20Use of External Systems (AC-20)
LMH
CA-3Information Exchange (CA-3)
LMH
CA-7Continuous Monitoring (CA-7)
LMH
CM-6Configuration Settings (CM-6)
LMH
CM-7Least Functionality (CM-7)
LMH
IR-7Incident Response Assistance (IR-7)
LMH
PM-31Continuous Monitoring Strategy (PM-31)PS-7External Personnel Security (PS-7)
LMH
RA-3Risk Assessment (RA-3)
LMH
SA-2Allocation of Resources (SA-2)
LMH
SA-5System Documentation (SA-5)
LMH
CP-2Contingency Plan (CP-2)
LMH
IR-4Incident Handling (IR-4)
LMH
PL-10Baseline Selection (PL-10)
LMH
PL-11Baseline Tailoring (PL-11)
LMH
SA-4Acquisition Process (SA-4)
LMH
SR-3Supply Chain Controls and Processes (SR-3)
LMH
SR-5Acquisition Strategies, Tools, and Methods (SR-5)
LMH
SA-24Design For Cyber Resiliency (SA-24)SC-12Cryptographic Key Establishment and Management (SC-12)
LMH
SC-13Cryptographic Protection (SC-13)
LMH
SI-7Software, Firmware, and Information Integrity (SI-7)
MH

Threat Coverage(2 ATT&CK techniques)

T1195Supply Chain CompromiseT1199Trusted Relationship

Control Enhancements(8)

SA-9(1)Risk Assessments and Organizational Approvals (SA-9(1))
SA-9(2)Identification of Functions, Ports, Protocols, and Services (SA-9(2))
MH
SA-9(3)Establish and Maintain Trust Relationship with Providers (SA-9(3))
SA-9(4)Consistent Interests of Consumers and Providers (SA-9(4))
SA-9(5)Processing, Storage, and Service Location (SA-9(5))
SA-9(6)Organization-controlled Cryptographic Keys (SA-9(6))
SA-9(7)Organization-controlled Integrity Checking (SA-9(7))
SA-9(8)Processing and Storage Location — U.S. Jurisdiction (SA-9(8))

See Also

@SP 800-53 OverviewCompare Baselines