An information system service that is implemented outside of the authorization boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system) and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.
Source(s):
CNSSI 4009-2015 from NIST SP 800-37 Rev. 1, NIST SP 800-53 Rev. 4
NIST SP 800-37 Rev. 1 [Superseded] under External Information System Service
NIST SP 800-53 Rev. 4 [Superseded] under External Information System Service

  A system service that is implemented outside of the authorization boundary of the organizational system (i.e., a service that is used by, but not a part of, the organizational system) and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.
Source(s):
NIST SP 800-171 Rev. 2 under external system service
NIST SP 800-171 Rev. 1 [Superseded] under external system service

  A system service that is implemented outside of the authorization boundary of the organizational system (i.e., a service that is used by, but not a part of, the organizational system) and for which the organization typically has no direct control over the application of required controls or the assessment of control effectiveness.
Source(s):
NIST SP 800-37 Rev. 2 under external system service

  A system service that is provided by an external service provider and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness.
Source(s):
NIST SP 800-53 Rev. 5 under external system service