Appendix 2:
From NIST Sp. Pub. 800-53, Rev. 2; section 2.4 (Security Controls in External Environments)
"Organizations are becoming increasingly reliant on information system services provided by external service providers to carry out important missions and functions. External information system services are services that are implemented outside of the system's accreditation boundary (i.e., services that are used by, but not a part of, the organizational information system). Relationships with external service providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business(23) arrangements), licensing agreements, and/or supply chain exchanges. The growing dependence on external service providers and new relationships being forged with those providers present new and difficult challenges for the organization, especially in the area of information system security. These challenges include, but are not limited to: ( i) defining the types of external services provided to the organization;24 (ii) describing how the external services are protected in accordance with the security requirements of the organization; and (iii) obtaining the necessary assurances that the risk to the organization's operations and assets, and to individuals, arising from the use of the external services is at an acceptable level.
The assurance or confidence that the risk to the organization's operations, assets, and individuals is at an acceptable level depends on the trust25 that the authorizing official places in the external service provider. In some cases, the level of trust is based on the amount of direct control the authorizing official is able to exert on the external service provider with regard to the employment of appropriate security controls necessary for the protection of the service and the evidence brought forth as to the effectiveness of those controls. The level of control is usually established by the terms and conditions of the contract or service-level agreement with the external service provider and can range from extensive (e.g., negotiating a contract or agreement that specifies detailed security control requirements for the provider26) to very limited (e.g., using a contract or service-level agreement to obtain commodity services27 such as commercial telecommunications services). In other cases, the level of trust is derived from other factors that convince the authorizing official that the requisite security controls have been employed and that a credible determination of control effectiveness exists. For example, a separately accredited external information system service provided to a federal agency through a line of business relationship may provide a degree of trust in the external service within the tolerable risk range of the authorizing official.
Ultimately, the responsibility for adequately mitigating risks to the organization's operations and assets, and to individuals, arising from the use of external information system services remains with the authorizing official. Authorizing officials must require that an appropriate chain of trust be established with external service providers when dealing with the many issues associated with information system security. For services external to the organization, a chain of trust requires that the organization establish and retain a level of confidence that each participating service provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered to the organization. The chain of trust can be very complicated due to the number of entities participating in the consumer-provider relationship and the type of relationship between the parties. External service providers may also in turn outsource the services to other external entities, making the chain of trust even more complicated and difficult to manage. Depending on the nature of the service, it may simply be unwise for the organization to wholly trust the provider---not due to any inherent untrustworthiness on the provider's part, but due to the intrinsic level of risk in the service. Where a sufficient level of trust cannot be established in the external services and/or service providers, the organization employs compensating controls or accepts the greater degree of risk to its operations and assets, or to individuals."
Footnotes:
"23 In March 2004, OMB initiated a government wide analysis of selected lines of business supporting the President's Management Agenda goal to expand Electronic Government. Interagency task forces examined business and information technology data and best practices for each line of business---Case Management, Financial Management, Grants Management, Human Resources Management, Federal Health Architecture, Information Systems Security, Budget Formulation and Execution, Geospatial, and IT Infrastructure. The goal of the effort is to identify opportunities to reduce the cost of government and improve services to citizens through business performance improvements.
24 Information exchanges may be required among the many possible relationships with external service providers. The risk of exchanging information among business partners and other external entities must be assessed and appropriate security controls employed. There may be contract language that establishes specific requirements to protect information exchanged and/or that specifies particular remedies for failure to protect the information as prescribed. In addition, there may be laws or regulations that protect this information from unauthorized disclosure.
25 The level of trust that an organization places in an external service provider can vary widely ranging from those who are highly trusted (e.g., business partners in a joint venture that share a common business model and common goals) to those who are less trusted and represent greater sources of risk (e.g., business partners in one endeavor who are also competitors in another market sector).
26 In reality, the provision of services by providers external to the organization may result in some services without explicit agreements between the organization and the external entities responsible for the services. Whenever explicit agreements are feasible and practical (e.g., through contracts, service-level agreements, etc.), the organization should develop such agreements and require the use of the security controls in Special Publication 800-53. When the organization is not in a position to require explicit agreements with external service providers (e.g., when the service is imposed on the organization or when the service is commodity service), the organization should establish explicit assumptions about the service capabilities with regard to security. Contracts between the organization and external service providers may also require the active participation of the organization. For example, the organization may be required by the contract to install public key encryption-enabled client software recommended by the service provider.
27 Normally, commercial providers of commodity-type services (e.g., telecommunications services) organize their business models and services around the concept of shared resources and devices for a broad and diverse customer base. Therefore, unless organizations obtain fully dedicated services from commercial service providers (including dedicated devices and management systems), there will likely be a need for greater reliance on compensating security controls to provide the necessary protections for the information system that relies on those external services. The organization's risk assessment and risk mitigation activities should reflect this situation."
Questions or comments? 
Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).