Back

Include security controls in system acquisition contracts.


CONTROL ID
01125
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include security requirements in system acquisition contracts., CC ID: 01124

This Control has the following implementation support Control(s):
  • Include the cost effectiveness of security controls in system acquisition contracts., CC ID: 11653


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • An APRA-regulated entity would typically implement secure software development and acquisition techniques to assist in maintaining confidentiality, integrity and availability by improving the general quality and vulnerability profile of the software (refer to Attachment D for further guidance). (48., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Acquisition and implementation controls would typically be in place to ensure that information security is not compromised by the introduction of new information assets. Ongoing support and maintenance controls would typically be in place to ensure that information assets continue to meet the inform… (36., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • on the inclusion and specification of cybersecurity-related requirements for ICT products and ICT services in public procurement, including in relation to cybersecurity certification, encryption and the use of open-source cybersecurity products; (Article 7 2(b), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • The information security function should assist business functions (e.g., procurement and legal) in the definition of standard / contractual requirements for the purchase and use of cloud services. (CF.16.04.02, The Standard of Good Practice for Information Security)
  • The information security function should assist business functions (e.g., procurement and legal) in the definition of standard / contractual requirements for the purchase and use of cloud services. (CF.16.04.02, The Standard of Good Practice for Information Security, 2013)
  • The system security officer (SSO) must verify that the solicitation document requirements allow security controls to be updated as new threats and vulnerabilities are identified and new technologies are implemented. (CSR 1.5.7(4), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Controls over risks associated with system development and acquisition. (App A Objective 2:7 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Policies documenting risk management controls for the development and acquisition of systems. (App A Objective 12:10 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The organization should have security control requirements included in the software licensing and development contracts. The vendor should be required to protect the confidentiality and security of the organization's resources and data. (Pg 49, FFIEC IT Examination Handbook - Development and Acquisition)
  • Controls needed to satisfy the security and privacy requirements. (SA-4d., FedRAMP Security Controls High Baseline, Version 5)
  • Controls needed to satisfy the security and privacy requirements. (SA-4d., FedRAMP Security Controls Low Baseline, Version 5)
  • Controls needed to satisfy the security and privacy requirements. (SA-4d., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Controls needed to satisfy the security and privacy requirements. (SA-4d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Controls needed to satisfy the security and privacy requirements. (SA-4d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Controls needed to satisfy the security and privacy requirements. (SA-4d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Controls needed to satisfy the security and privacy requirements. (SA-4d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Acquisition policies and processes need to incorporate C-SCRM considerations into each step of the procurement and contract management life cycle management process (i.e., plan procurement, define and develop requirements, perform market analysis, complete procurement, ensure compliance, and monitor… (3.1.2. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Controls needed to satisfy the security and privacy requirements. (SA-4d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Controls needed to satisfy the security and privacy requirements. (SA-4d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Controls needed to satisfy the security and privacy requirements. (SA-4d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Controls needed to satisfy the security and privacy requirements. (SA-4d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure the development and implementation of information systems consider security design principles in accordance with NIST Special Publication 800-27 and specific responsibilities and actions are defined for the implementation of the secur… (SA-8, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness. (SA-13b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Controls needed to satisfy the security and privacy requirements. (SA-4d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Controls needed to satisfy the security and privacy requirements. (SA-4d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Select and Document Security Controls: The selection and documentation of security controls corresponds to step 2 in the NIST Risk Management Framework. The selection of security controls consists of three activities: the selection of baseline security controls (including common security controls); … (§ 3.2.3.2, Security Considerations in the Information System Development Life Cycle, NIST SP 800-64, Revision 2)
  • Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness. (SA-13b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)