3.16.3

Requirement

a. Require the providers of external system services used for the processing, storage, or transmission of CUI to comply with the following security requirements: [Assignment: organization-defined security requirements].
b. Define and document user roles and responsibilities with regard to external system services, including shared responsibilities with external service providers.
c. Implement processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis.

Discussion

External system services are provided by external service providers. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with the organization charged with protecting CUI. Service-level agreements define expectations of performance, describe measurable outcomes, and identify remedies, mitigations, and response requirements for instances of noncompliance. Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when there is a need to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols. This requirement is related to 03.01.20.

NIST 800-171A r3 Assessment Guidance

Examine

[SELECT FROM: system and services acquisition policy and procedures; procedures for monitoring security requirement compliance by external service providers; acquisition documentation; contracts; service-level agreements; interagency agreements; licensing agreements; list of security requirements for external provider services; assessment results or reports from external service providers; SCRM plan; system security plan; other relevant documents or records]
Interview

[SELECT FROM: organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis; mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis]
Test

[SELECT FROM: personnel with acquisition responsibilities; external providers of system services; personnel with SCRM responsibilities; personnel with information security responsibilities]

ID	Assessment Objectives
A.03.16.03.a	the providers of external system services used for the processing, storage, or transmission of CUI comply with the following security requirements: .
A.03.16.03.b	user roles and responsibilities with regard to external system services, including shared responsibilities with external service providers, are defined and documented.
A.03.16.03.c	processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis are implemented.
A.03.16.03.ODP[01]	security requirements to be satisfied by external system service providers are defined.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!