>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

GRR-3Data Locations

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Does the CSO ensure that all DoD data remains in the States, districts, territories, and outlying areas of the United States and hence ensuring that the data remain under U.S. jurisdiction at all times?

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

DoD Requirement: The CSO provides a list of the physical locations where the data could be stored at any given time and how it is ensured that the data remains within these boundaries.

See Section 5.2.1, and all subsections, of CC SRG V1R4 for additional details.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What documented policies and procedures address data locations?
  • Who is accountable for implementing and maintaining data locations controls?
  • How frequently are data locations requirements reviewed, and what triggers updates?
  • What process ensures changes to systems maintain compliance with data locations requirements?
  • How are exceptions to data locations requirements documented and approved?

Technical Implementation:

  • What technical controls enforce data locations in your environment?
  • How are data locations controls configured and maintained across all systems?
  • What automated mechanisms support data locations compliance?
  • How do you validate that data locations implementations achieve their intended security outcome?
  • What compensating controls exist if primary data locations controls cannot be fully implemented?

Evidence & Documentation:

  • What documentation proves data locations is implemented and operating effectively?
  • Can you provide configuration evidence showing how data locations is technically enforced?
  • What audit logs or monitoring data demonstrate ongoing data locations compliance?
  • Can you show evidence of a recent review or assessment of data locations controls?
  • What artifacts would you provide during an assessment to demonstrate data locations compliance?

Ask AI

Configure your API key to use AI features.