Guidance for NIST 800-171 Assessment & Compliance

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Navigation: SA-FAMILY: SYSTEM AND SERVICES ACQUISITION

SA-4 ACQUISITION PROCESS

Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

(O)ther than satisfactory +##

###

sa-4	acquisition process
	assessment objective: Determine if the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
	sa-4(a)	security functional requirements;
	sa-4(b)	security strength requirements;
	sa-4(c)	security assurance requirements;
	sa-4(d)	security-related documentation requirements;
	sa-4(e)	requirements for protecting security-related documentation;
	sa-4(f)	description of:
		sa-4(f)[1]	the information system development environment;
		sa-4(f)[2]	the environment in which the system is intended to operate; and
	sa-4(g)	acceptance criteria.
	potential assessment methods and objects: Examine: [select from: System and services acquisition policy; procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process; acquisition contracts for the information system, system component, or information system service; information system design documentation; other relevant documents or records]. Interview: [select from: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with responsibility for determining information system security functional, strength, and assurance requirements; system/network administrators; organizational personnel with information security responsibilities]. Test: [select from: Organizational processes for determining information system security functional, strength, and assurance requirements; organizational processes for developing acquisition contracts; automated mechanisms supporting and/or implementing acquisitions and inclusion of security requirements in contracts].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056