NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-9(3)Establish and Maintain Trust Relationship with Providers

Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: {{ insert: param, sa-9.3_prm_1 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Trust relationships between organizations and external service providers reflect the degree of confidence that the risk from using external services is at an acceptable level. Trust relationships can help organizations gain increased levels of confidence that service providers are providing adequate protection for the services rendered and can also be useful when conducting incident response or when planning for upgrades or obsolescence. Trust relationships can be complicated due to the potentially large number of entities participating in the consumer-provider interactions, subordinate relationships and levels of trust, and types of interactions between the parties. In some cases, the degree of trust is based on the level of control that organizations can exert on external service providers regarding the controls necessary for the protection of the service, information, or individual privacy and the evidence brought forth as to the effectiveness of the implemented controls. The level of control is established by the terms and conditions of the contracts or service-level agreements.

Practitioner Notes

Establish and maintain a trust relationship with your external service providers. Trust is not a one-time evaluation — it requires ongoing monitoring and verification that the provider continues to meet your security requirements.

Example 1: Request updated SOC 2 Type II reports from your critical vendors annually. Review the auditor's findings and management responses. If the report shows significant control failures, schedule a meeting with the vendor to understand their remediation plan and timeline.

Example 2: Include contractual provisions for regular security attestations, notification of material security changes, and the right to conduct or commission independent audits. Schedule annual vendor review meetings to discuss security posture, incident history, and upcoming changes that might affect your security.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment