HOME

SA-9 (5)

SA-9 (5) H M
Description

The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions].

FedRAMP
  • H SA-9 (5)-1 [information processing, information data, AND information services]
  • M SA-9 (5)-1 [information processing, information data, AND information services]
DISA Cloud Computing SRG

Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Source:
DoD RMF TAG

Supplemental Guidance

The location of information processing, information/data storage, or information system services that are critical to organizations can have a direct impact on the ability of those organizations to successfully execute their missions/business functions. This situation exists when external providers control the location of processing, storage or services. The criteria external providers use for the selection of processing, storage, or service locations may be different from organizational criteria. For example, organizations may want to ensure that data/information storage locations are restricted to certain locations to facilitate incident response activities (e.g., forensic analyses, after-the-fact investigations) in case of information security breaches/compromises. Such incident response activities may be adversely affected
by the governing laws or protocols in the locations where processing and storage occur and/or the locations from which information system services emanate.