NIST 800-53 Rev. 5

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
PT
RA
SA
SC
SI
SR
SA-1
SA-2
SA-3
SA-3(1)
SA-3(2)
SA-3(3)
SA-4
SA-4(1)
SA-4(2)
SA-4(3)
SA-12
SA-4(5)
SA-4(6)
SA-4(7)
SA-4(8)
SA-4(9)
SA-4(10)
SA-4(11)
SA-4(12)
SA-5
SA-12(1)
SA-12(10)
SA-12(11)
SA-12(12)
SA-12(13)
SA-12(14)
SA-12(15)
SA-8
SA-8(1)
SA-8(2)
SA-8(3)
SA-8(4)
SA-8(5)
SA-8(6)
SA-8(7)
SA-8(8)
SA-8(9)
SA-8(10)
SA-8(11)
SA-8(12)
SA-8(13)
SA-8(14)
SA-8(15)
SA-8(16)
SA-8(17)
SA-8(18)
SA-8(19)
SA-8(20)
SA-8(21)
SA-8(22)
SA-8(23)
SA-8(24)
SA-8(25)
SA-8(26)
SA-8(27)
SA-8(28)
SA-8(29)
SA-8(30)
SA-8(31)
SA-8(32)
SA-8(33)
SA-9
SA-9(1)
SA-9(2)
SA-9(3)
SA-9(4)
SA-9(5)
SA-9(6)
SA-9(7)
SA-9(8)
SA-10
SA-10(1)
SA-10(2)
SA-10(3)
SA-10(4)
SA-10(5)
SA-10(6)
SA-10(7)
SA-11
SA-11(1)
SA-11(2)
SA-11(3)
SA-11(4)
SA-11(5)
SA-11(6)
SA-11(7)
SA-11(8)
SA-11(9)
SA-12(2)
SA-12(3)
SA-12(4)
SA-12(5)
SA-12(6)
SA-12(7)
SA-12(8)
SA-12(9)
SA-13
SA-14
SA-14(1)
SA-15(4)
SA-15(9)
SA-18
SA-18(1)
SA-18(2)
SA-19
SA-19(1)
SA-19(2)
SA-15
SA-15(1)
SA-15(2)
SA-15(3)
SA-19(3)
SA-15(5)
SA-15(6)
SA-15(7)
SA-15(8)
SA-19(4)
SA-15(10)
SA-15(11)
SA-15(12)
SA-16
SA-17
SA-17(1)
SA-17(2)
SA-17(3)
SA-17(4)
SA-17(5)
SA-17(6)
SA-17(7)
SA-17(8)
SA-17(9)
SA-21(1)
SA-22(1)
SA-4(4)
SA-5(1)
SA-5(2)
SA-5(3)
SA-5(4)
SA-5(5)
SA-20
SA-21
SA-6
SA-22
SA-7
SA-23

SA-9(1): External System Services | Risk Assessments and Organizational Approvals

Control Text:

(a) Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and (b) Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].

Information security services include the operation of security devices, such as firewalls or key management services as well as incident monitoring, analysis, and response. Risks assessed can include system, mission or business, security, privacy, or supply chain risks.

Related Controls