03.16.03: External System Services
Control Familly: System and Services Acquisition
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-160-1 [11]
SP 800-161 [33]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.16.03
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
SA-09
a. Require the providers of external system services used for the processing, storage, or transmission of CUI to comply with the following security requirements: [Assignment: organization-defined security requirements].
b. Define and document user roles and responsibilities with regard to external system services, including shared responsibilities with external service providers.
c. Implement processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis.
Discussion:
External system services are provided by external service providers. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with the organization charged with protecting CUI. Service-level agreements define expectations of performance, describe measurable outcomes, and identify remedies, mitigations, and response requirements for instances of noncompliance. Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when there is a need to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols. This requirement is related to 03.01.20.
Assessment Methods and Objectives
Examine [SELECT FROM: system and services acquisition policy and procedures; procedures for monitoring security requirement compliance by external service providers; acquisition documentation; contracts; service-level agreements; interagency agreements; licensing agreements; list of security requirements for external provider services; assessment results or reports from external service providers; SCRM plan; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with acquisition responsibilities; external providers of system services; personnel with SCRM responsibilities; personnel with information security responsibilities]
Test [SELECT FROM: organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis; mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.16.03.ODP[01]: security requirements to be satisfied by external system service providers are defined.
A.03.16.03.a: the providers of external system services used for the processing, storage, or transmission of CUI comply with the following security requirements: <A.03.16.03.ODP[01]: security requirements>.
A.03.16.03.b: user roles and responsibilities with regard to external system services, including shared responsibilities with external service providers, are defined and documented.
A.03.16.03.c: processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis are implemented.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A