>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SA-9(3)External System Services | Establish and Maintain Trust Relationship with Providers

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: organization-defined security and privacy requirements, properties, factors, or conditions defining acceptable trust relationships.

>DoD Impact Level Requirements

DoD FedRAMP+ Parameters

DSPAV must be used.

>Discussion

Trust relationships between organizations and external service providers reflect the degree of confidence that the risk from using external services is at an acceptable level. Trust relationships can help organizations gain increased levels of confidence that service providers are providing adequate protection for the services rendered and can also be useful when conducting incident response or when planning for upgrades or obsolescence. Trust relationships can be complicated due to the potentially large number of entities participating in the consumer-provider interactions, subordinate relationships and levels of trust, and types of interactions between the parties.

In some cases, the degree of trust is based on the level of control that organizations can exert on external service providers regarding the controls necessary for the protection of the service, information, or individual privacy and the evidence brought forth as to the effectiveness of the implemented controls. The level of control is established by the terms and conditions of the contracts or service-level agreements.

>Related Controls

SR-2

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What acquisition policies and procedures address the requirements of SA-9(3)?
  • How are security and privacy requirements integrated into the acquisition process?
  • Who is responsible for ensuring that acquisitions comply with SA-9(3)?

Technical Implementation:

  • How are security requirements defined and documented in acquisition contracts?
  • What mechanisms ensure that acquired systems and services meet security requirements?
  • How do you validate that vendors and service providers comply with specified security controls?

Evidence & Documentation:

  • Can you provide examples of acquisition documentation that includes security requirements?
  • What evidence demonstrates that acquired systems meet security specifications?
  • Where is acquisition security documentation maintained throughout the system lifecycle?

Ask AI

Configure your API key to use AI features.