SA-9 (4)

SA-9 (4) H M

The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests.

  • H SA-9 (4)-2 [all external systems where Federal information is processed or stored]
  • M SA-9 (4)-2 [all external systems where Federal information is processed or stored]
DISA Cloud Computing SRG

Not appropriate for DoD to define for all CSP's infrastructure or service offerings

All external service providers from whom services are solicited.


Supplemental Guidance

As organizations increasingly use external service providers, the possibility exists that the interests of the service providers may diverge from organizational interests. In such situations, simply having the correct technical, procedural, or operational safeguards in place may not be sufficient if the service providers that implement and control those safeguards are not operating in a manner consistent with the interests of the consuming organizations. Possible actions that organizations might take to address such concerns include, for example, requiring background checks for selected service provider personnel, examining ownership records, employing only trustworthy service providers (i.e., providers with which organizations have had positive experiences), and conducting periodic/unscheduled visits to service provider facilities.