PS-08-019 Outsourced Facilities Management

Issue Date:  3/20/2008

Revision Effective Date:  3/20/2008 

Review Date: 12/1/2020


Using an external provider for information processing facilities introduces potential security risks and requires additional precautions to be incorporated into service contracts compared to contractors providing IT services within the physical control of the State.  This policy establishes the requirement for agencies to identify and address these concerns in the service contracts for providers entrusted to manage State information systems in their facilities.


Contracts and service agreements for outsourcing management of State information processing facilities to an external service provider shall detail explicit security requirements and controls including adherence to all applicable state and agency security policies and standards necessary to adequately protect the information resources entrusted to the third-party.


Third Party Security Requirements (SS-08-049)

Facilities Security (SS-08-015)

Computer Operations Center Security (SS-08-016)

Personnel Identity Verification and Screening (SS-08-017)

Outsourced IT Services and Third-Party Interconnections (SS-08-044)



NIST SP 800-53 (Rev. 5) SA-9: External System Services