Back

Include security requirements in system acquisition contracts.


CONTROL ID
01124
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system acquisition contracts., CC ID: 14758

This Control has the following implementation support Control(s):
  • Include operational requirements in system acquisition contracts., CC ID: 00825
  • Include required service levels in system acquisition contracts., CC ID: 11652
  • Include security controls in system acquisition contracts., CC ID: 01125
  • Obtain system documentation before acquiring products and services., CC ID: 01445
  • Obtain user documentation before acquiring products and services., CC ID: 14283
  • Require the information system developer to create a continuous monitoring plan., CC ID: 14307
  • Provide a Configuration Management plan by the Information System developer for all newly acquired assets., CC ID: 01446
  • Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired assets., CC ID: 01447


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • App 2-1 Item Number II.3(2): The selection of hardware, software, and networking products for acquisition for the system must be based on the procurement requirements from the development plan and user needs. This is a control item that constitutes a relatively small risk to financial information. T… (App 2-1 Item Number II.3(2), App 2-1 Item Number VI.5.4(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Banks may obtain application integrity statements in writing from the application system vendors providing for reasonable level of assurance about the application being free of malware at the time of sale, free of any obvious bugs, and free of any covert channels in the code (of the version of the a… (Critical components of information security 11) c.24., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • There is a need for defining requirements as part of the overall design and development of a recordkeeping system, but a definition of requirements specific to systems acquisition is not called for as it assumes that these requirements will be one and the same. (§ C.4, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • on the inclusion and specification of cybersecurity-related requirements for ICT products and ICT services in public procurement, including in relation to cybersecurity certification, encryption and the use of open-source cybersecurity products; (Article 7 2(b), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure; (Article 21 2(e), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Member States shall ensure that, when considering which measures referred to in paragraph 2, point (d), of this Article are appropriate, entities take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practice… (Article 21 3., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Complying with the security targets in case of new developments and procurement of information systems as well as changes. (Section 5.11 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • Requirements regarding the procurement, commissioning and release associated with the use of external IT services are determined and fulfilled. (1.3.3 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • The information security requirements associated with the acquisition or extension of IT systems and IT components are determined and taken into account. (5.3.1 Requirements (must) Bullet 2, Information Security Assessment, Version 5.1)
  • The organization must specify security requirements in all contracts and ensure all contracts handling personal data adhere to the office of government commerce's model Terms and Conditions. (Mandatory Requirement 43, HMG Security Policy Framework, Version 6.0 May 2011)
  • The regulated user should define a requirement specification before selecting a commercial off the shelf, standard, or proprietary system for gxp regulated applications. (¶ 4.3, Good Practices For Computerized systems In Regulated GXP Environments)
  • The acquisition process shall state the requirements for the contract or purchase order in order to minimize the risk of being provided with fraudulent or counterfeit parts. (§ 4.1.4 ¶ 1, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • The organization should ensure the requirements for providing a certificate of conformance and supply chain traceability are clearly stated as deliverable data in the procurement documents. (App C § C.1, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • Security should be involved in the preliminary design phase of the facility. They should develop statements of security objectives and requirements that should be given to the architect when he/she receives the functional and aesthetic criteria. The security criteria should include building access f… (Pg 19-I-11 thru Pg 19-I-13, Protection of Assets Manual, ASIS International)
  • The external supplier security management process should include agreeing on security arrangements (e.g., based on business security requirements and compliance needs) for each supplier. (CF.16.01.01b, The Standard of Good Practice for Information Security)
  • Service agreements should specify the level of criticality of the service. (CF.07.07.02c, The Standard of Good Practice for Information Security)
  • Service agreements should specify requirements for segregation of duties. (CF.07.07.04a-1, The Standard of Good Practice for Information Security)
  • When acquiring hardware / software, security requirements should be considered. (CF.16.02.05a, The Standard of Good Practice for Information Security)
  • When acquiring hardware / software, contractual terms should be agreed with suppliers. (CF.16.02.05c, The Standard of Good Practice for Information Security)
  • Service agreements should specify the level of criticality of the service. (CF.07.07.02c, The Standard of Good Practice for Information Security, 2013)
  • Service agreements should specify requirements for segregation of duties. (CF.07.07.04a-1, The Standard of Good Practice for Information Security, 2013)
  • When acquiring hardware / software, security requirements should be considered. (CF.16.02.05a, The Standard of Good Practice for Information Security, 2013)
  • When acquiring hardware / software, contractual terms should be agreed with suppliers. (CF.16.02.05c, The Standard of Good Practice for Information Security, 2013)
  • The external supplier security management process should include agreeing on security arrangements (e.g., based on business security requirements and compliance needs) for each supplier. (CF.16.01.01e, The Standard of Good Practice for Information Security, 2013)
  • Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use. (CIS Control 16: Safeguard 16.5 Use Up-to-Date and Trusted Third-Party Software Components, CIS Controls, V8)
  • The organization shall include a requirements definition in all requests for products or services. (§ 6.1.1.3(a)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The security environment statement should identify and explain all known or presumed threats the product is required to protect against, the security policies the product must comply with, and the intended usage and environment of the product. (§ 9.2, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • (§ 8.4(c), ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • The security environment of the product or system should be examined to ensure all assumptions, threats, organizational security policies (guidelines that must be followed, such as password generation) are identified and explained. Descriptions of the security environment in the documentation should… (§ 8.3.2, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • Information security requirements should be identified, specified and approved when developing or acquiring applications. (§ 8.26 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Security functional requirements; (SA-4a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Security strength requirements; (SA-4b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Security assurance requirements; (SA-4c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Requirements for protecting security-related documentation; (SA-4e., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Security-related documentation requirements; (SA-4d., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Security-related documentation requirements; (SA-4d., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Security assurance requirements; (SA-4c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Security functional requirements; (SA-4a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Requirements for protecting security-related documentation; (SA-4e., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Security strength requirements; (SA-4b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Security-related specifications should be based on needs and a cost-benefit analysis for all telecommunications or automated information system (TAIS) or non communications emitter procurement packages. (§ 1-5.a(3), Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • CMS business partner managers of compartmentalized systems shall specify the required security level when negotiating with general support systems (GSSs) and major applications (MAs) for services. (§ 4.1.3 ¶ 2, CMS Business Partners Systems Security Manual, Rev. 10)
  • The system security officer (SSO) must verify that the RFPs and subcontracts that involve Medicare claims processing include system security requirements and evaluation/test procedures. (CSR 1.5.7(3), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The business owner and the system developer/maintainer shall ensure development agreements and/or solicitation documents allow security requirements to be updated due to new threats or risks. (§ 3.2 Task 2, System Security Plan (SSP) Procedure, Version 1.1 Final)
  • A medical device manufacturer shall establish and maintain data clearly referencing or describing the requirements, including quality requirements, for purchased/received products and services. Purchasing documents shall include agreements that consultants, contractors, and suppliers will notify the… (§ 820.50(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Obtains attestation or evidence from third-party developers that the applications acquired by the institution meet the necessary security requirements and that noted vulnerabilities or flaws are remediated in a timely manner. (App A Objective 6.28.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Contractual assurances from third-party service providers for security responsibilities, controls, and reporting. (App A Objective 6.31.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should oversee outsourced operations through the following: - Appropriate due diligence in third-party research, selection, and relationship management. - Contractual assurances for security responsibilities, controls, and reporting. - Nondisclosure agreements regarding the institution'… (II.C.20 Oversight of Third-Party Service Providers, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The integrity and security of the network, system, and application software used in the systems development process; (TIER II OBJECTIVES AND PROCEDURES B.1 Bullet 8, FFIEC IT Examination Handbook - Audit, April 2012)
  • The organization should define the information and security requirements for the product it is acquiring. (Pg 39, Pg 41, FFIEC IT Examination Handbook - Development and Acquisition)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Security assurance requirements; (SA-4c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Requirements for protecting security-related documentation; (SA-4e. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Security strength requirements; (SA-4b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Security-related documentation requirements; (SA-4d. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Security functional requirements; (SA-4a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Security strength requirements; (SA-4b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Security-related documentation requirements; (SA-4d. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Security assurance requirements; (SA-4c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Requirements for protecting security-related documentation; (SA-4e. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Security functional requirements; (SA-4a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Requirements for protecting security-related documentation; (SA-4e. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Security assurance requirements; (SA-4c. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Security-related documentation requirements; (SA-4d. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Security strength requirements; (SA-4b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Security functional requirements; (SA-4a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; (SA-2a., FedRAMP Security Controls High Baseline, Version 5)
  • Strength of mechanism requirements; (SA-4b., FedRAMP Security Controls High Baseline, Version 5)
  • Security and privacy documentation requirements; (SA-4e., FedRAMP Security Controls High Baseline, Version 5)
  • Security and privacy assurance requirements; (SA-4c., FedRAMP Security Controls High Baseline, Version 5)
  • Security and privacy functional requirements; (SA-4a., FedRAMP Security Controls High Baseline, Version 5)
  • Requirements for protecting security and privacy documentation; (SA-4f., FedRAMP Security Controls High Baseline, Version 5)
  • Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; (SA-2a., FedRAMP Security Controls Low Baseline, Version 5)
  • Strength of mechanism requirements; (SA-4b., FedRAMP Security Controls Low Baseline, Version 5)
  • Security and privacy documentation requirements; (SA-4e., FedRAMP Security Controls Low Baseline, Version 5)
  • Security and privacy assurance requirements; (SA-4c., FedRAMP Security Controls Low Baseline, Version 5)
  • Security and privacy functional requirements; (SA-4a., FedRAMP Security Controls Low Baseline, Version 5)
  • Requirements for protecting security and privacy documentation; (SA-4f., FedRAMP Security Controls Low Baseline, Version 5)
  • Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; (SA-2a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Strength of mechanism requirements; (SA-4b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Security and privacy documentation requirements; (SA-4e., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Security and privacy assurance requirements; (SA-4c., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Security and privacy functional requirements; (SA-4a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Requirements for protecting security and privacy documentation; (SA-4f., FedRAMP Security Controls Moderate Baseline, Version 5)
  • System acquisition contracts must include the security requirements and/or security specifications for any systems that contain Federal Tax Information. The requirements and/or specifications must be based on a risk assessment. (§ 5.6.14, Exhibit 4 SA-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; (SA-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Strength of mechanism requirements; (SA-4b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Security and privacy documentation requirements; (SA-4e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Security and privacy functional requirements; (SA-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Security and privacy assurance requirements; (SA-4c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Requirements for protecting security and privacy documentation; (SA-4f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Requirements for protecting security and privacy documentation; (SA-4f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; (SA-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Security and privacy documentation requirements; (SA-4e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Security and privacy assurance requirements; (SA-4c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Strength of mechanism requirements; (SA-4b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Security and privacy functional requirements; (SA-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Security and privacy assurance requirements; (SA-4c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Requirements for protecting security and privacy documentation; (SA-4f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; (SA-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Security and privacy documentation requirements; (SA-4e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Security and privacy functional requirements; (SA-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Strength of mechanism requirements; (SA-4b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Strength of mechanism requirements; (SA-4b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Security and privacy documentation requirements; (SA-4e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Requirements for protecting security and privacy documentation; (SA-4f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Security and privacy assurance requirements; (SA-4c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; (SA-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Security and privacy functional requirements; (SA-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • This contextual basis sets the stage for the Acquisition Team to effectively gauge their tolerance for risk as it pertains to a specific procurement requirement and determine which of the C-SCRM controls described in this document and [NIST SP 800-53 Rev 5] controls are relevant and necessary to con… (3.1.2. ¶ 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; (SA-2a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Security and privacy functional requirements; (SA-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Strength of mechanism requirements; (SA-4b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Security and privacy assurance requirements; (SA-4c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Security and privacy documentation requirements; (SA-4e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Requirements for protecting security and privacy documentation; (SA-4f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; (SA-2a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Strength of mechanism requirements; (SA-4b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Security and privacy documentation requirements; (SA-4e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Security and privacy assurance requirements; (SA-4c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Security and privacy functional requirements; (SA-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Requirements for protecting security and privacy documentation; (SA-4f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; (SA-2a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Strength of mechanism requirements; (SA-4b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Security and privacy documentation requirements; (SA-4e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Security and privacy assurance requirements; (SA-4c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Security and privacy functional requirements; (SA-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Requirements for protecting security and privacy documentation; (SA-4f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Strength of mechanism requirements; (SA-4b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Security and privacy documentation requirements; (SA-4e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Security and privacy assurance requirements; (SA-4c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Security and privacy functional requirements; (SA-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Requirements for protecting security and privacy documentation; (SA-4f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • (§ 3.4.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure security requirements and specifications are included in all acquisition contracts; that the contracts describe explicitly or by reference describe required security capabilities, design and development processes, and test and evaluat… (SA-4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Requirements for protecting security-related documentation; (SA-4e. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Requirements for protecting security-related documentation; (SA-4e. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Security functional requirements; (SA-4a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Security functional requirements; (SA-4a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Security functional requirements; (SA-4a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Security strength requirements; (SA-4b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Security strength requirements; (SA-4b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Security assurance requirements; (SA-4c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Security assurance requirements; (SA-4c. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Security assurance requirements; (SA-4c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Security strength requirements; (SA-4b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Security-related documentation requirements; (SA-4d. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Security-related documentation requirements; (SA-4d. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Security-related documentation requirements; (SA-4d. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Requirements for protecting security-related documentation; (SA-4e. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals. (T0277, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Document and address organization's information security, cybersecurity architecture, and systems security engineering requirements throughout the acquisition life cycle. (T0082, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide input on security requirements to be included in statements of work and other appropriate procurement documents. (T0203, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide system-related input on cybersecurity requirements to be included in statements of work and other appropriate procurement documents. (T0211, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Communicate requirements to all third parties who will provide commercial software components to the organization for reuse by the organization's own software. [Formerly PW.3.1] (PO.1.3, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • The organization must include the security requirements in acquisition contracts in accordance with applicable laws, regulations, and security policies. (SG.SA-4 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must include the security functional requirements and/or security functional specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standard… (App F § SA-4.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must include the determination of security requirements for the Information System in mission case planning and business case planning. (App F § SA-2.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • By using the appropriate contractual vehicles, the organization can require external providers, in collaboration with the organization, to execute the security categorization and security control selection steps. this information can help the organization determine what security controls are in plac… (§ 3.3 ¶ Applying Gap Analyses to External Service Providers, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must include security-related documentation requirements, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards. (App F § SA-4.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must include the development and evaluation-related assurance requirements, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards. (App F § SA-4.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Document and address organization's information security, cybersecurity architecture, and systems security engineering requirements throughout the acquisition life cycle. (T0082, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide input on security requirements to be included in statements of work and other appropriate procurement documents. (T0203, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide system-related input on cybersecurity requirements to be included in statements of work and other appropriate procurement documents. (T0211, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals. (T0277, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization determines information security requirements for the information system or information system service in mission/business process planning. (SA-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization describes the trustworthiness required in the {organizationally documented information system, information system component, or information system service} supporting its critical missions/business functions. (SA-13a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization implements {organizationally documented assurance overlay} to achieve such trustworthiness. (SA-13b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization determines information security requirements for the information system or information system service in mission/business process planning. (SA-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization determines information security requirements for the information system or information system service in mission/business process planning. (SA-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization determines information security requirements for the information system or information system service in mission/business process planning. (SA-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, re… (SA-4g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Security-related documentation requirements; (SA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Security assurance requirements; (SA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Security functional requirements; (SA-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Requirements for protecting security-related documentation; (SA-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Security strength requirements; (SA-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Security strength requirements; (SA-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Security functional requirements; (SA-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Security assurance requirements; (SA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Security-related documentation requirements; (SA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Requirements for protecting security-related documentation; (SA-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Security functional requirements; (SA-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Security strength requirements; (SA-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Security assurance requirements; (SA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Requirements for protecting security-related documentation; (SA-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Security-related documentation requirements; (SA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Security-related documentation requirements; (SA-4d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Security functional requirements; (SA-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Security assurance requirements; (SA-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Requirements for protecting security-related documentation; (SA-4e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Security strength requirements; (SA-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes [Assignment: organization-defined state-of-the-practice system/security engineering methods, software development… (SA-4(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and (SA-13a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; (SA-2a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Strength of mechanism requirements; (SA-4b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Security and privacy documentation requirements; (SA-4e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Security and privacy assurance requirements; (SA-4c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Include [Assignment: organization-defined Privacy Act requirements] in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function. (SA-4(11) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • [Assignment: organization-defined systems engineering methods]; (SA-4(3) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • [Assignment: organization-defined [Selection (one or more): systems security; privacy] engineering methods]; and (SA-4(3) ¶ 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Security and privacy functional requirements; (SA-4a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Requirements for protecting security and privacy documentation; (SA-4f., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; (SA-2a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Strength of mechanism requirements; (SA-4b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Security and privacy documentation requirements; (SA-4e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Security and privacy assurance requirements; (SA-4c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Include [Assignment: organization-defined Privacy Act requirements] in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function. (SA-4(11) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • [Assignment: organization-defined systems engineering methods]; (SA-4(3) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • [Assignment: organization-defined [Selection (one or more): systems security; privacy] engineering methods]; and (SA-4(3) ¶ 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Security and privacy functional requirements; (SA-4a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Requirements for protecting security and privacy documentation; (SA-4f., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Security functional requirements; (SA-4a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Security strength requirements; (SA-4b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Security assurance requirements; (SA-4c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Security-related documentation requirements; (SA-4d., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Requirements for protecting security-related documentation; (SA-4e., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and (SA-13a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • SECURE GLOBAL SUPPLY CHAINS FOR INFORMATION, COMMUNICATIONS, AND OPERATIONAL TECHNOLOGY PRODUCTS AND SERVICES (STRATEGIC OBJECTIVE 5.5, National Cybersecurity Strategy)
  • SECURE GLOBAL SUPPLY CHAINS FOR INFORMATION, COMMUNICATIONS, AND OPERATIONAL TECHNOLOGY PRODUCTS AND SERVICES (STRATEGIC OBJECTIVE 5.5, National Cybersecurity Strategy (Condensed))
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a., TX-RAMP Security Controls Baseline Level 1)
  • Security functional requirements; (SA-4a., TX-RAMP Security Controls Baseline Level 1)
  • Security strength requirements; (SA-4b., TX-RAMP Security Controls Baseline Level 1)
  • Security assurance requirements; (SA-4c., TX-RAMP Security Controls Baseline Level 1)
  • Security-related documentation requirements; (SA-4d., TX-RAMP Security Controls Baseline Level 1)
  • Requirements for protecting security-related documentation; (SA-4e., TX-RAMP Security Controls Baseline Level 1)
  • Security functional requirements; (SA-4a., TX-RAMP Security Controls Baseline Level 2)
  • Security strength requirements; (SA-4b., TX-RAMP Security Controls Baseline Level 2)
  • Determines information security requirements for the information system or information system service in mission/business process planning; (SA-2a., TX-RAMP Security Controls Baseline Level 2)
  • Security assurance requirements; (SA-4c., TX-RAMP Security Controls Baseline Level 2)
  • Requirements for protecting security-related documentation; (SA-4e., TX-RAMP Security Controls Baseline Level 2)
  • Security-related documentation requirements; (SA-4d., TX-RAMP Security Controls Baseline Level 2)