Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-4(9)

acquisition process  | functions / ports / protocols / services in use

assessment objective:

Determine if the organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle:

sa-4(9)[1]

the functions intended for organizational use;

sa-4(9)[2]

the ports intended for organizational use;

sa-4(9)[3]

the protocols intended for organizational use; and

sa-4(9)[4]

the services intended for organizational use.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process; information system design documentation; information system documentation including functions, ports, protocols, and services intended for organizational use; acquisition contracts for information systems or services; acquisition documentation; solicitation documentation; service-level agreements; organizational security requirements, descriptions, and criteria for developers of information systems, system components, and information system services; other relevant documents or records].

Interview: [select from: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with responsibility for determining information system security requirements; system/network administrators; organizational personnel operating, using, and/or maintaining the information system; information system developers; organizational personnel with information security responsibilities].