SA-9: External System Services

From NIST's SP800-53:

a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; b. Define and document organizational oversight and user roles and responsibilities with regard to external system services; and c. Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [Assignment: organization-defined processes, methods, and techniques].

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

SP800-53 Control Mapped to NIST Cyber Security Framework

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Search:

Control ID	Description
ID.SC-4	Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
PR.AT-3	Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
DE.CM-6	External service provider activity is monitored to detect potential cybersecurity events
ID.SC-1	Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
ID.AM-4	External information systems are catalogued
ID.SC-3	Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.

Showing 1 to 6 of 6 entries

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against.

Search:

ATT&CK ID	Title	Associated Tactics
T1048	Exfiltration Over Alternative Protocol	Exfiltration
T1041	Exfiltration Over C2 Channel	Exfiltration
T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	Exfiltration
T1048.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Exfiltration
T1567	Exfiltration Over Web Service	Exfiltration

Showing 1 to 5 of 5 entries