NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-4(12)Data Ownership

Include organizational data ownership requirements in the acquisition contract; and Require all data to be removed from the contractor’s system and returned to the organization within {{ insert: param, sa-04.12_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Contractors who operate a system that contains data owned by an organization initiating the contract have policies and procedures in place to remove the data from their systems and/or return the data in a time frame defined by the contract.

Practitioner Notes

Your contracts must clearly establish that your organization retains ownership of its data, even when it is processed or stored by a vendor. Data ownership should never be ambiguous.

Example 1: Include explicit data ownership clauses in all vendor contracts: 'All data provided by the Customer, and all data generated from Customer data, remains the exclusive property of the Customer. The Vendor shall not use Customer data for any purpose other than providing the contracted services.'

Example 2: Require contracts to include data portability and return provisions: upon contract termination, the vendor must return all your data in a standard format within 30 days and certify deletion from their systems within 90 days. Test data export capabilities before signing the contract to ensure they work.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment