NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-9(7)Organization-controlled Integrity Checking

Provide the capability to check the integrity of information while it resides in the external system.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Storage of organizational information in an external system could limit visibility into the security status of its data. The ability of the organization to verify and validate the integrity of its stored data without transferring it out of the external system provides such visibility.

Practitioner Notes

When external services process or store your data, you should have the ability to independently verify the integrity of that data — not just trust the provider's word that nothing has been modified.

Example 1: Implement cryptographic integrity verification for data stored with external providers. Before uploading critical data, compute and store hash values (SHA-256) locally. Periodically download samples and verify the hashes match to confirm data has not been altered.

Example 2: For database replication to external services, use transaction log verification to confirm that all transactions are applied correctly. Run periodic reconciliation checks comparing local and external data stores to detect any discrepancies that might indicate data corruption or tampering.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment