The organization must require that providers of external Voice Video system services employ security controls defined by CNSSI 1253 in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

From Voice Video Policy Security Technical Implementation Guide

Part of SRG-POL-300750

Associated with: CCI-000670

VVSP-01-000202_rule The organization must require that providers of external Voice Video system services employ security controls defined by CNSSI 1253 in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

Vulnerability discussion

External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet.For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

Check content

Review each Voice Video system security plan (SSP). Verify that the organization requires providers of external Voice Video system services to employ security controls defined by CNSSI 1253 in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The commercial provider will normally document these is Service Level Agreements (SLA) or another contract. If the Voice Video SSP does not document, and the organization does not enforce, that providers of external Voice Video system services employ security controls as indicated above, this is a finding.

Fix text

Document in the Voice Video SSP that the organization must require that providers of external Voice Video system services employ security controls defined by CNSSI 1253 in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Append the SLA, or other contract documentation, from the commercial provider detailing the controls.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer