>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SA-9External System Services

LI-SaaS
Low
Moderate
High

>Control Description

a

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: organization-defined controls;

b

Define and document organizational oversight and user roles and responsibilities with regard to external system services; and

c

Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: organization-defined processes, methods, and techniques.

>FedRAMP Baseline Requirements

Parameter Values

a
Appropriate FedRAMP Security Controls Baseline (s) if federal customer data is processed or stored within the external system
c
Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where federal customer data is processed or stored

>Discussion

External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials.

For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored.

External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

>Cross-Framework Mappings

SCF

TPM-04
Compare

>Programmatic Queries

Beta

Related Services

AWS Marketplace
AWS PrivateLink
AWS Service Catalog

CLI Commands

List Marketplace subscriptions
aws marketplace-catalog list-entities --catalog AWSMarketplace --entity-type Offer
List VPC endpoints (PrivateLink)
aws ec2 describe-vpc-endpoints
List Service Catalog provisioned products
aws servicecatalog scan-provisioned-products
Describe VPC endpoint services available
aws ec2 describe-vpc-endpoint-services
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What acquisition policies and procedures address the requirements of SA-9?
  • How are security and privacy requirements integrated into the acquisition process?
  • Who is responsible for ensuring that acquisitions comply with SA-9?

Technical Implementation:

  • How are security requirements defined and documented in acquisition contracts?
  • What mechanisms ensure that acquired systems and services meet security requirements?
  • How do you validate that vendors and service providers comply with specified security controls?

Evidence & Documentation:

  • Can you provide examples of acquisition documentation that includes security requirements?
  • What evidence demonstrates that acquired systems meet security specifications?
  • Where is acquisition security documentation maintained throughout the system lifecycle?

Ask AI

Configure your API key to use AI features.