NIST 800-53 r5 · Controls catalogue · Family SA
SA-9External System Services
Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }}; Define and document organizational oversight and user roles and responsibilities with regard to external system services; and Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (6)
- T1041 Exfiltration Over C2 Channel Exfiltration
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1567 Exfiltration Over Web Service Exfiltration
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Requiring external providers to implement and be monitored against organizational access-control requirements directly reduces the likelihood of improper access control across trust boundaries. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Mandating that external services employ specified authentication controls and ongoing compliance monitoring makes missing authentication for critical functions harder to overlook or exploit. |
CWE-319 | Cleartext Transmission of Sensitive Information | 1,042 | Explicit controls and continuous oversight on external system services prevent cleartext transmission of sensitive information over provider-managed channels. |
CWE-311 | Missing Encryption of Sensitive Data | 552 | Privacy and security requirements placed on external providers, together with monitoring, tangibly reduce missing encryption of sensitive data processed or stored by those services. |
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Defining oversight, roles, and compliance monitoring for external services directly mitigates risks of including functionality from an untrusted control sphere. |
CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints | 57 | Requiring providers to meet communication-channel restrictions and monitoring adherence reduces improper restriction of channels to intended endpoints. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-27702 | 2.0 | 9.9 | 0.0010 | partial |
CVE-2025-61591 | 1.8 | 8.8 | 0.0013 | good |