Security Requirements for 03.16.03 External System Services

External system services are provided by external service providers. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with the organization charged with protecting CUI. Service-level agreements define expectations of performance, describe measurable outcomes, and identify remedies, mitigations, and response requirements for instances of noncompliance. Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when there is a need to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols. This requirement is related to 03.01.20.

View CPRT 03.16.03

  1. 03.16.03.a

    Require the providers of external system services used for the processing, storage, or transmission of CUI to comply with the following security requirements: [Assignment: organization-defined security requirements].

  1. 03.16.03.b

    Define and document user roles and responsibilities with regard to external system services, including shared responsibilities with external service providers.

  1. 03.16.03.c

    Implement processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis.