NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-9(8)Processing and Storage Location — U.S. Jurisdiction

Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The geographic location of information processing and data storage can have a direct impact on the ability of organizations to successfully execute their mission and business functions. A compromise or breach of high impact information and systems can have severe or catastrophic adverse impacts on organizational assets and operations, individuals, other organizations, and the Nation. Restricting the processing and storage of high-impact information to facilities within the legal jurisdictional boundary of the United States provides greater control over such processing and storage.

Practitioner Notes

For certain sensitive data, processing and storage must be limited to locations within U.S. jurisdiction. This is particularly important for CUI, ITAR data, and other regulated information types.

Example 1: For systems processing CUI or ITAR-controlled data, verify that all processing and storage locations are within the United States. Review your cloud provider's data residency documentation and restrict deployments to U.S. regions only. Include U.S.-only data processing requirements in your contracts.

Example 2: Use Microsoft 365 GCC or GCC High environments for government and defense contractor workloads that require U.S.-only data residency. These environments guarantee data processing within U.S. borders by Microsoft personnel who are U.S. persons with appropriate background checks.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment