Back

Establish, implement, and maintain a product and services acquisition strategy.


CONTROL ID
01133
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Plan for acquiring facilities, technology, or services., CC ID: 06892

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It may be prudent that a fast-track software and hardware procurement process is formulated, which includes making prior arrangement with the related software and hardware providers to allow upgrading of system capacity within a short period of time when such a need arises. In any case, adequate end… (§ 9.2.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • It may be prudent that a fast-track software and hardware procurement process is formulated, which includes making prior arrangement with the related software and hardware providers to allow upgrading of system capacity within a short period of time when such a need arises. In any case, adequate end… (§ 9.2.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • The organization must check the product evaluation documentation in order to determine the product specific requirements. (Control: 0463, Australian Government Information Security Manual: Controls)
  • selection and configuration — considerations when selecting and configuring vendor supplied software include due diligence as to the security testing conducted to identify vulnerabilities (either intended or deliberate); user access management capabilities (e.g. role based, support of segregation … (Attachment D 2(c)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • You should determine whether you will buy services to build or build yourself. You can use in-house technology, additional technology brought from outside and tailored to suit needs or you can have someone else design additional technology. Cost, flexibility and integration speed are generally the b… (§ F.4.5.1, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • Evidence must be maintained by service organizations to demonstrate that the appropriate procedures were followed for all new developments and acquisitions, including IT project definition and management; systems analysis; infrastructure plans; software design, programs, documentation, tests, releas… (§ 5.3 (SDLC Controls) ¶ 2, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Information security-related initiatives should be supported by a business case that includes details regarding the need to purchase new Information Security-related products or services. (SG.02.02.06b, The Standard of Good Practice for Information Security)
  • A process should be established that ensures that the use of cloud services (including generic cloud services) is approved by business owners and the corporate Information Technology function (or equivalent). (CF.16.04.07b, The Standard of Good Practice for Information Security)
  • Information security-related initiatives should be supported by a business case that includes details regarding the need to purchase new Information Security-related products or services. (SG.02.02.06b, The Standard of Good Practice for Information Security, 2013)
  • A process should be established that ensures that the use of cloud services (including generic cloud services) is approved by business owners and the corporate Information Technology function (or equivalent). (CF.16.04.07b, The Standard of Good Practice for Information Security, 2013)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or datacente… (CCC-01, Cloud Controls Matrix, v3.0)
  • The organization shall establish procedures for ensuring that all purchased products conform to the purchase requirements. (§ 7.4.1 ¶ 1, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization shall establish a process for acquiring products and services. (§ 6.1.1.3(a)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The supplier shall deliver the service or product to the organization in accordance with the agreement. (§ 6.1.2.3(e)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • new products, services and processes, or changes to existing products, services and processes, including: (§ 8.1.3 ¶ 1 a), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • All procurement must provide for open and free competition. A grantee must be alert to conflicts of interest and noncompetitive practices that may restrict or eliminate competition. Contractors that draft or develop grant applications, or contract requirements, statements of work, specifications, in… (§ 495.348(d), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • The capital planning and investment process must include identifying information systems investments that would result in shared costs and benefits with other agencies and identifying quantifiable measurements to determine the net benefits and risks of the investments. Modular contracting should be … (§ 5122(b)(4), § 5122(b)(5), § 5202.35, Clinger-Cohen Act (Information Technology Management Reform Act))
  • The criteria for selecting Commercial Off-The-Shelf products that support Records Management Application requirements should include the feasibility and capability of the product to implement and maintain Department of Defense standards. (§ C2.1.3, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The organization must limit the acquisition of government off the shelf Information Technology products to products that have been evaluated by the National Security Agency or with National Security Agency-approved processes. (DCAS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The organization must limit the acquisition of commercial off the shelf Information Technology products to products that have been evaluated by the National Information Assurance Partnership evaluation and validation program, the international Common Criteria for Information Security technology eval… (DCAS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The acquisition standards should address the same requirements as the development standards. The acquisition standards should focus on which controls the product has already built into it. (Pg 40, Exam Obj 6.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • The organization should develop a requirements definition document to use for deciding which outsource provider to select for a contract. This document should contain descriptions of the organization's expectations for the outsource provider. It should include information on the scope and nature of … (Pg 8, Pg 9, Exam Tier I Obj 3.2, Exam Tier II Obj A.1, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • The joint authorization board must approve and accept all future, planned outsourced services. (Column F: SA-9(1), FedRAMP Baseline Security Controls)
  • Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. (SR-5 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. (SR-5 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Does management use a formal methodology for acquiring, developing, or maintaining new software or modified software? (IT - Networks Q 35, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. (SR-5 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. (SR-5 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. (SR-5 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. (SR-5 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. (SR-5 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. (SR-5 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. (SR-5 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Evaluate the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements. (T0256, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should explicitly assign each acquired system component to a system and the system owner should acknowledge the assignment. (App F § SA-4(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use only Government Off-The-Shelf or Commercial Off-The-Shelf Information Assurance and information assurance-enabled technology products that are a National Security agency-approved solution to protect classified information when the networks that are transmitting the inform… (App F § SA-4(6)(a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should ensure off-the-shelf products used for transmitting information at a lower classification level than the information being transmitted have been evaluated and/or validated by the National Security Agency or with National Security Agency-approved procedures. (App F § SA-4(6)(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should limit the use of commercially furnished Information Technology products to products that are successfully evaluated against a validated united states government Protection Profile. (App F § SA-4(7)(a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Evaluate the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements. (T0256, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at… (SA-4(6)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. (SA-4(6)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology… (SA-4(7)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization ensures that the acquisition or outsourcing of dedicated information security services is approved by {organizationally documented personnel}. (SA-9(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization ensures that the acquisition or outsourcing of dedicated information security services is approved by {organizationally documented roles}. (SA-9(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {organizationally documented tailored acquisition strategies, contract tools, and procurement methods} for the purchase of the information system, system component, or information system service from suppliers. (SA-12(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs [Assignment: organization-defined tailored acquisition strategies, contract tools, and procurement methods] for the purchase of the information system, system component, or information system service from suppliers. (SA-12(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. (SR-5 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. (SR-5 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization employs [Assignment: organization-defined tailored acquisition strategies, contract tools, and procurement methods] for the purchase of the information system, system component, or information system service from suppliers. (SA-12(1) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)