800-53|SA-9

Title

EXTERNAL INFORMATION SYSTEM SERVICES

Description

The organization:

Supplemental

External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

Reference Item Details

Related: CA-3,IR-7,PS-7

Category: SYSTEM AND SERVICES ACQUISITION

Family: SYSTEM AND SERVICES ACQUISITION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
MS.DEFENDER.4.1v2 - A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency. At a minimum, credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) SHALL be blocked.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.4.2v1 - The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams chat, and Devices.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.4.3v1 - The action for the custom policy SHOULD be set to block sharing sensitive information with everyone.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.EXO.1.1v1 - Automatic forwarding to external domains SHALL be disabled.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.6.1v1 - Contact folders SHALL NOT be shared with all domains.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.6.2v1 - Calendar details SHALL NOT be shared with all domains.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.1v2 - A DLP solution SHALL be used.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.2v2 - The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.3v1 - The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.4v1 - At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.POWERPLATFORM.1.1v1 - The ability to create production and sandbox environments SHALL be restricted to admins.microsoft_azureCISA SCuBA Microsoft 365 Power Platform v1.5.0
MS.POWERPLATFORM.2.1v1 - A DLP policy SHALL be created to restrict connector access in the default Power Platform environment.microsoft_azureCISA SCuBA Microsoft 365 Power Platform v1.5.0
MS.POWERPLATFORM.2.2v1 - Non-default environments SHOULD have at least one DLP policy affecting them.microsoft_azureCISA SCuBA Microsoft 365 Power Platform v1.5.0
MS.SHAREPOINT.1.1v1 - External sharing for SharePoint SHALL be limited to Existing guests or Only people in your organization.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.1.2v1 - External sharing for OneDrive SHALL be limited to Existing guests or Only people in your organization.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.1.3v1 - External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.1.4v1 - Guest access SHALL be limited to the email the invitation was sent to.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.2.1v1 - File and folder default sharing scope SHALL be set to Specific people (only the people the user specifies).microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.3.1v1 - Expiration days for Anyone links SHALL be set to 30 days or less.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.TEAMS.3.1v1 - Contact with Skype users SHALL be blocked.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
Salesforce.com : Trust and Salesforce.com - Review http://trust.salesforce.comSalesforce.comTNS Salesforce Best Practices Audit v1.2.0