NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-9(2)Identification of Functions, Ports, Protocols, and Services

Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ insert: param, sa-09.02_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols.

Practitioner Notes

Document all functions, ports, protocols, and services used by your external service providers. You need to know exactly what traffic flows to and from external services to secure and monitor those connections.

Example 1: For each external service, document the network connections required: protocols (HTTPS, SFTP), destination URLs or IPs, ports, authentication methods, and the type of data transmitted. Configure your firewall to allow only these documented connections and deny everything else.

Example 2: Use network monitoring tools to validate that external services are communicating only on documented ports and protocols. In Microsoft Defender for Cloud Apps, use Cloud Discovery to detect all cloud service connections from your network and compare them against your approved service list.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment