NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-7(1) — Offloading
Offload {{ insert: param, pm-07.01_odp }} to other systems, system components, or an external provider.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Not every function or service that a system provides is essential to organizational mission or business functions. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services that support essential mission or business functions. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission-essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services.
Practitioner Notes
Offloading means moving certain security functions or services to another organization or provider. If your company lacks the resources to run a 24/7 security operations center, you might offload that function to a managed security service provider (MSSP).
Example 1: Contract with an MSSP to handle your SIEM monitoring, incident detection, and initial triage. Document in your security plan which functions are offloaded, who the provider is, and what SLAs govern their performance (e.g., 15-minute response time for critical alerts).
Example 2: Use Microsoft Sentinel as your cloud SIEM and engage a Microsoft partner for managed detection and response. Document the shared responsibility model — what the partner monitors, what triggers they escalate, and what your internal team handles — in your security program plan.