The college organization evaluates security risks associated with the services and product supply chain to ensure potential vulnerabilities are identified and addressed proactively.

The college shall adhere to NIST 800-53r5 controls related to third-party access, including but not limited to Access Control (AC), Audit and Accountability (AU), Security Assessment and Authorization (CA), and System and Communications Protection (SC). Additionally, the college shall regularly assess and monitor third-party access privileges, enforce strong authentication mechanisms, encrypt sensitive data in transit and at rest, and ensure third parties comply with the college's cybersecurity policies and procedures.

Prior to the acquisition or outsourcing of technology-related services, the college shall conduct a thorough risk assessment to identify and mitigate potential cybersecurity risks associated with the new services. The risk assessment process shall follow the guidelines outlined in NIST Special Publication 800-30 and shall be documented and reviewed periodically to ensure continued effectiveness.

The college restricts the location of information processing/storage based on business requirements in accordance with NIST 800-53r5 controls, ensuring the protection and confidentiality of sensitive data.