SA-9 (1) External Information System Services | Risk Assessments / Organizational Approvals
The organization:
SA-9 (1)(a): Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
SA-9 (1)(b): Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
Applicable CNSSI 1253 Baselines
Confidentiality
- L
- M
- H
Integrity
- L
- M
- H
Availability
- L
- M
- H
Supplemental Guidance
Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services.