We recommend that for future agreements, NARA should: Require that providers of external information system services comply with NARA information security requirements. Define and document government oversight and user roles and responsibilities with regard to external information systems, and Establish a process to monitor security control compliance by external service providers on an ongoing basis.