NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-9(5) — Processing, Storage, and Service Location
Restrict the location of {{ insert: param, sa-09.05_odp.01 }} to {{ insert: param, sa-09.05_odp.02 }} based on {{ insert: param, sa-09.05_odp.03 }}.
Supplemental Guidance
The location of information processing, information and data storage, or system services can have a direct impact on the ability of organizations to successfully execute their mission and business functions. The impact occurs when external providers control the location of processing, storage, or services. The criteria that external providers use for the selection of processing, storage, or service locations may be different from the criteria that organizations use. For example, organizations may desire that data or information storage locations be restricted to certain locations to help facilitate incident response activities in case of information security incidents or breaches. Incident response activities, including forensic analyses and after-the-fact investigations, may be adversely affected by the governing laws, policies, or protocols in the locations where processing and storage occur and/or the locations from which system services emanate.
Practitioner Notes
Know where your data is being processed and stored by external service providers. Data location affects which laws apply, what risks exist, and whether your regulatory requirements are met.
Example 1: In your service agreements, specify that data must be processed and stored in the United States (or other approved jurisdictions). Require the provider to notify you before any data location changes and give you the right to terminate if data moves to an unapproved jurisdiction.
Example 2: In Azure, use Azure Policy to restrict resource deployment to specific regions (e.g., East US, West US). This ensures that your virtual machines, databases, and storage accounts are only created in approved data center locations. Audit compliance with these policies monthly.