myctrl.tools
Compare

PM-7(1)Offloading

>Control Description

Offload organization-defined non-essential functions or services to other systems, system components, or an external provider.

>Cross-Framework Mappings

SCF

SEA-02.2
Compare

>Supplemental Guidance

Not every function or service that a system provides is essential to organizational mission or business functions. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services that support essential mission or business functions.

Maintaining such functions on the same system or system component increases the attack surface of the organization's mission-essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services.

>Related Controls

SA-8

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What program-level governance exists for offloading?
  • Who has overall responsibility and accountability for offloading across the organization?
  • How does the organization measure and report on offloading effectiveness?
  • What resources are allocated to support offloading activities?
  • How does offloading integrate with other organizational programs and initiatives?

Technical Implementation:

  • What enterprise systems or platforms support offloading?
  • How are offloading activities tracked and reported organization-wide?
  • What integration exists between offloading tools and other security/privacy systems?
  • What automation supports offloading at the program level?
  • What metrics or analytics are used to measure offloading effectiveness?

Evidence & Documentation:

  • Provide program-level documentation for offloading.
  • Provide evidence of offloading review and approval by senior leadership.
  • Provide metrics or reports demonstrating offloading effectiveness.
  • Provide records of offloading updates and improvements.
  • Provide documentation of offloading integration with organizational governance.

Ask AI

Configure your API key to use AI features.