Back

Establish, implement, and maintain a product and services acquisition program.


CONTROL ID
01136
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Plan for acquiring facilities, technology, or services., CC ID: 06892

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a product and services acquisition policy., CC ID: 14028
  • Establish, implement, and maintain acquisition approval requirements., CC ID: 13704
  • Disseminate and communicate acquisition approval requirements to all affected parties., CC ID: 13706
  • Include preventive maintenance contracts in system acquisition contracts., CC ID: 06658
  • Prohibit the use of Personal Electronic Devices, absent approval., CC ID: 04599
  • Sign a forfeiture statement acknowledging unapproved Personal Electronic Devices will be confiscated., CC ID: 11667
  • Include chain of custody procedures in the product and services acquisition program., CC ID: 10058
  • Review and update the acquisition contracts, as necessary., CC ID: 14279


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A telecommunication service provider shall acquire the facilities and devices stated in the directive issued under section 12(2) at its own expense. (§ 12(4), South African Interception of Communications Act, No 6/2007)
  • Costs incurred by a Telecommunication Service Provider to enable a telecommunication system to be intercepted, storing call-related information, and complying with section 9 shall be covered by the Telecommunication Service Provider. (§ 12(5), South African Interception of Communications Act, No 6/2007)
  • A person may provide or sell authentication services or products in zambia absent the prior authority of another person. (§ 27, The Electronic Communications and Transactions Act, 2002)
  • A service provider shall acquire the devices and facilities identified in the regulations under section 79(2), at the service provider's own expense. (§ 79(4), The Electronic Communications and Transactions Act, 2002)
  • A person may acquire or sell an encryption product despite the selected encryption algorithm, the chosen encryption key length, the implementation technique, or the medium used. (§ 90(1)(a), The Electronic Communications and Transactions Act, 2002)
  • App 2-1 Item Number II.3(5): The hardware, software, and networking products must be procured in accordance with the procurement rules. This is a control item that constitutes a relatively small risk to financial information. This is an IT general control. App 2-1 Item Number II.3(6): The organizati… (App 2-1 Item Number II.3(5), App 2-1 Item Number II.3(6), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Evaluated supplicants, authenticators and authentication servers are used in wireless networks. (Security Control: 1322; Revision: 3, Australian Government Information Security Manual, March 2021)
  • The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented. (Security Control: 1458; Revision: 1, Australian Government Information Security Manual, March 2021)
  • The organization must ensure that equipment located in top secret areas meet the industry standards and government standards for Electromagnetic Interference and Electromagnetic Compatibility. (Control: 0250, Australian Government Information Security Manual: Controls)
  • The organization should select products with the desired security functionality and applicable to the intended environment. (Control: 0279, Australian Government Information Security Manual: Controls)
  • The organization must select products in accordance with the following: first preference is a Defence Signals Directorate approved Protection Profile product; second preference is an Evaluation Assurance Level-based evaluated product through the Common Criteria scheme or the Australasian Information… (Control: 0280, Australian Government Information Security Manual: Controls)
  • The authenticators, supplicants, and Authentication Server for sensitive and classified wireless networks must have had an appropriate evaluation. (Control: 1322, Australian Government Information Security Manual: Controls)
  • The organization must use a Common Criteria-evaluated diode to control the data flow of unidirectional gateways between the public network infrastructure and sensitive networks or classified networks. (Control: 0643, Australian Government Information Security Manual: Controls)
  • The organization must use a common criteria-evaluated diode to control the data flow of unidirectional gateways between sensitive networks and classified networks. (Control: 1157, Australian Government Information Security Manual: Controls)
  • The organization must use a high assurance diode from the Defence Signals Directorate Evaluated Products List to control the data flow of unidirectional gateways between the public network infrastructure and classified networks. (Control: 0645, Australian Government Information Security Manual: Controls)
  • The organization must use a high assurance diode from the Defence Signals Directorate Evaluated Products List to control the data flow of unidirectional gateways between sensitive networks or classified networks, where the highest system is confidential or above. (Control:1158, Australian Government Information Security Manual: Controls)
  • The organization must use a Common Criteria-evaluated diode between a foreign network and an Australian Eyes Only network or an Australian Government Access Only network of the same classification. (Control: 0646, Australian Government Information Security Manual: Controls)
  • The organization should use a Common Criteria-evaluated diode from the Defence Signals Directorate Evaluated Products List between another organizationally controlled network and an Australian Eyes Only network or an Australian Government Access Only network of the same classification. (Control: 0647, Australian Government Information Security Manual: Controls)
  • The organization should implement acquisition and implementation controls to ensure information technology security is not compromised when a new information technology asset is introduced into the system. (¶ 54, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Acquisition and implementation controls would typically be in place to ensure that the IT security of the technology environment is not compromised by the introduction of new IT assets. Ongoing support and maintenance controls would typically be in place to ensure that IT assets continue to meet bus… (¶ 54, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Based on the essential business processes and specialised procedures, first acquisition must include identification of the applications, IT systems, network components, rooms and similar objects that are essential for performance of the business processes. Here, not only the primary dependences shou… (§ 3.2.4 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Policies and instructions with technical and organisational safeguards for the proper development and/or procurement of information systems for the development or operation of the cloud service, including middleware, databases, operating systems and network components are documented, communicated an… (Section 5.11 BEI-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • For the procurement, products which were certified according to the "Common Criteria for Information Technology Security Evaluation" (abbreviated: Common Criteria – CC) according to evaluation level EAL 4 are preferred. If uncertified products are procured although certified products are available… (Section 5.11 BEI-01 Description of additional requirements (confidentiality) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • ¶ 14: To avoid legal challenges on fair trading and public law grounds, departments and agencies must not give preference to existing List X contractors when they are preparing the Invitation to Tender short list. ¶ 15: The contracting authority should provide written advice on the nature of gener… (¶ 14 thru ¶ 16, The Contractual process, Version 5.0 October 2010)
  • Are there procedures and controls for purchasing software and hardware? (Table Row I.26, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the information technology management authorize all hardware acquisitions and software acquisitions? (Table Row I.27, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • If there is no national certification, what criteria is used to purchase firewalls? (Table Row V.1, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • A regulated user should have a comprehensive policy and procedures implemented for the specification, purchase, development, and implementation of computerized systems. (¶ 8.1, Good Practices For Computerized systems In Regulated GXP Environments)
  • Develop and follow a set of procedures and standards that is consistent with the business organisation's overall procurement process and acquisition strategy to acquire IT-related infrastructure, facilities, hardware, software and services needed by the business. (AI5.1 Procurement Control, CobiT, Version 4.1)
  • Protect and enforce the organisation's interests in all acquisition contractual agreements, including the rights and obligations of all parties in the contractual terms for the acquisition of software, development resources, infrastructure and services. (AI5.4 IT Resources Acquisition, CobiT, Version 4.1)
  • Verify that the process requires the business sponsor to approve and sign off on business functional and technical requirements and feasibility study reports at predetermined key stages. The business sponsor should make the final decision with respect to the choice of solution and acquisition approa… (AI1.4 Requirements and Feasibility Decision and Approval, CobiT, Version 4.1)
  • Create and maintain a technology infrastructure plan that is in accordance with the IT strategic and tactical plans. The plan should be based on the technological direction and include contingency arrangements and direction for acquisition of technology resources. It should consider changes in the c… (PO3.2 Technology Infrastructure Plan, CobiT, Version 4.1)
  • Adopt and maintain standards for all development and acquisition that follow the life cycle of the ultimate deliverable, and include sign-off at key milestones based on agreed-upon sign-off criteria. Consider software coding standards; naming conventions; file formats; schema and data dictionary des… (PO8.3 Development and Acquisition Standards, CobiT, Version 4.1)
  • An organization will establish a list of company-approved products. For example, if a wireless Access Point (AP) needs to be replaced, substituting it with a non-sanctioned AP is not acceptable. (§ 4.6.1.F, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives. (§ 3 Principle 11 Points of Focus: Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities, COSO Internal Control - Integrated Framework (2013))
  • Standards should be adopted for systems development processes. These standards should apply to designing, developing, testing, implementing, and maintaining programs and systems when the organization develops their own applications. For outsourced application development or acquiring new systems, ag… (§ 5.3.2 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • The acquisition process shall require disclosure, in writing, at the time of each individual quotation of whether or not the supply source is authorized and whether or not the full manufacturer's warranty is being provided. (§ 4.1.4.c, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • The buyer's procurement contract should include requirements to help in verifying that authentic, conforming material was provided. (App D § D.1.1, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • The purchase contract shall define the quoted product and require suppliers to meet the requirements. (§ 4.2.3.3, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The purchase contract shall include flow-through requirements. (§ 4.2.3.2, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • Access control mechanisms should be provided using approved hardware / software (e.g., 'pictures and patterns' software, physical tokens, fingerprint readers, and iris scanners). (CF.06.03.05, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for acquiring hardware / software, which specifies guidelines for selecting hardware / software (e.g., lists of approved suppliers, security considerations, and contractual terms). (CF.16.02.01a, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for acquiring hardware / software, which specifies methods of identifying and addressing security weaknesses in hardware / software. (CF.16.02.01b, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for acquiring hardware / software, which specifies the process for reviewing and approving hardware / software. (CF.16.02.01d, The Standard of Good Practice for Information Security)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including computer equipment (e.g., servers, desktop computers, ultrabooks, laptops, and netbooks). (CF.16.02.02a, The Standard of Good Practice for Information Security)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including consumer devices (e.g., tablets and smartphones). (CF.16.02.02b, The Standard of Good Practice for Information Security)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including virtual systems (e.g., Virtual Servers and virtual desktops). (CF.16.02.02c, The Standard of Good Practice for Information Security)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including network storage systems (e.g., Storage Area Network and network-attached storage). (CF.16.02.02d, The Standard of Good Practice for Information Security)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including network equipment (e.g., routers, switches, Wireless Access Points, and firewalls). (CF.16.02.02e, The Standard of Good Practice for Information Security)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including telephony (including Voice over Internet Protocol) and conferencing equipment. (CF.16.02.02f, The Standard of Good Practice for Information Security)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including portable storage media (e.g., external hard disk drives and Universal serial bus memory sticks). (CF.16.02.02g, The Standard of Good Practice for Information Security)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including authentication hardware (e.g., physical tokens, smartcards, and biometric equipment). (CF.16.02.02h, The Standard of Good Practice for Information Security)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including office equipment (e.g., network printers, photocopiers, facsimile machines, scanners, and multifunction devices). (CF.16.02.02i, The Standard of Good Practice for Information Security)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including specialist equipment (e.g., equipment that is used to support or enable the organization's critical infrastructure). (CF.16.02.02j, The Standard of Good Practice for Information Security)
  • The acquisition of hardware / software should be reviewed by staff who have the necessary skills to evaluate them, and be approved by an appropriate business representative. (CF.16.02.08, The Standard of Good Practice for Information Security)
  • There should be a documented corporate policy for the purchase and use of cloud services, which is based on the organization's strategy for using cloud services. (CF.16.04.01a, The Standard of Good Practice for Information Security)
  • There should be a documented corporate policy for the purchase and use of cloud services, which is approved by executive management. (CF.16.04.01b, The Standard of Good Practice for Information Security)
  • Contracts (including those for generic, 'off-the-shelf' cloud services) should be subject to the organization's standard acquisition processes. (CF.16.05.02c, The Standard of Good Practice for Information Security)
  • Access control mechanisms should be provided using approved hardware / software (e.g., 'pictures and patterns' software, physical tokens, fingerprint readers, and iris scanners). (CF.06.03.05, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for acquiring hardware / software, which specifies guidelines for selecting hardware / software (e.g., lists of approved suppliers, security considerations, and contractual terms). (CF.16.02.01a, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for acquiring hardware / software, which specifies methods of identifying and addressing security weaknesses in hardware / software. (CF.16.02.01b, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for acquiring hardware / software, which specifies the process for reviewing and approving hardware / software. (CF.16.02.01d, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including computer equipment (e.g., servers, desktop computers, ultrabooks, laptops, and netbooks). (CF.16.02.02a, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including consumer devices (e.g., tablets and smartphones). (CF.16.02.02b, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including virtual systems (e.g., Virtual Servers and virtual desktops). (CF.16.02.02c, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including network storage systems (e.g., Storage Area Network and network-attached storage). (CF.16.02.02d, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including network equipment (e.g., routers, switches, Wireless Access Points, and firewalls). (CF.16.02.02e, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including telephony (including Voice over Internet Protocol) and conferencing equipment. (CF.16.02.02f, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including portable storage media (e.g., external hard disk drives and Universal serial bus memory sticks). (CF.16.02.02g, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including authentication hardware (e.g., physical tokens, smartcards, and biometric equipment). (CF.16.02.02h, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including office equipment (e.g., network printers, photocopiers, facsimile machines, scanners, and multifunction devices). (CF.16.02.02i, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should apply to all hardware acquired throughout the organization, including specialist equipment (e.g., equipment that is used to support or enable the organization's critical infrastructure). (CF.16.02.02j, The Standard of Good Practice for Information Security, 2013)
  • There should be a documented corporate policy for the purchase and use of cloud services, which is based on the organization's strategy for using cloud services. (CF.16.04.01a, The Standard of Good Practice for Information Security, 2013)
  • There should be a documented corporate policy for the purchase and use of cloud services, which is approved by executive management. (CF.16.04.01b, The Standard of Good Practice for Information Security, 2013)
  • Contracts (including those for generic, 'off-the-shelf' cloud services) should be subject to the organization's standard acquisition processes. (CF.16.05.02c, The Standard of Good Practice for Information Security, 2013)
  • The acquisition of hardware / software should be reviewed by staff who have the necessary skills to evaluate them, and be approved by an appropriate business representative. (CF.16.02.08a, The Standard of Good Practice for Information Security, 2013)
  • The organization should acquire systems that are configured securely out of the box. (Critical Control 3.7, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or datacente… (CCC-01, Cloud Controls Matrix, v3.0)
  • The organization shall include in the purchasing information a description of the product being purchased, including the approval requirements for products, processes, procedures, and equipment; personnel qualification requirements; and quality management system requirements. The organization shall … (§ 7.4.2, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • determine its environmental requirement(s) for the procurement of products and services, as appropriate; (§ 8.1 ¶ 4 b), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall send requests for products or services to all identified suppliers. (§ 6.1.1.3(b)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall plan how goods, materials, and enabling system services are acquired from suppliers outside of the project. (§ 6.3.1.3(b)(6), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall acquire and deploy technologies that support plan measurement. (§ 6.3.7.3(a)(7), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall obtain materials and integration enabling systems in accordance with the integration procedures. (§ 6.4.5.3(b)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall obtain the system elements in accordance with the agreed upon schedules. (§ 6.4.5.3(b)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall obtain other services that are related to system operation. (§ 6.4.9.3(a)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall obtain the services, elements, and enabling systems to use for system maintenance. (§ 6.4.10.3(b)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall acquire the services or enabling systems to use for system disposal. (§ 6.4.11.3(b)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management's objectives. (CC5.2 ¶ 2 Bullet 4 Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. (PI1.1 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management's objectives. (CC5.2 Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities, Trust Services Criteria)
  • The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. (PI1.1, Trust Services Criteria)
  • Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management's objectives. (CC5.2 ¶ 2 Bullet 4 Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities, Trust Services Criteria, (includes March 2020 updates))
  • The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. (PI1.1 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • § 1194.2(a)(2): If an agency determines compliance with the requirements will impose an undue burden with regard to procuring a product, it shall explain in the procurement documentation why/to what extent compliance with the requirement creates an undue burden. § 1194.2(b): An agency shall procur… (§ 1194.2(a)(2), § 1194.2(b), 36 CFR Part 1194 Electronic and Information Technology Accessibility Standards)
  • Only telecommunications or automated information system (TAIS) and non communication emitters that comply with this regulation should be procured. (§ 1-5.a(5), Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • Written procurement procedures must be established by all grantees and must provide, at a minimum, the following: (1) avoiding the purchase of unnecessary items; (2) analyzing lease and purchase alternatives to determine the most economical and practical procurement; (3) ensuring solicitations fo… (§ 495.348(e), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • The Federal Acquisition Regulatory Council must ensure that the information technology acquisition process is a simplified, clear, and understandable process, specifically addressing risk management, incremental acquisitions, and the incorporation of commercial information technology in a timely man… (§ 5201, Clinger-Cohen Act (Information Technology Management Reform Act))
  • The information assurance manager must ensure that Information Systems that are acquired and intended to be used as or integrated into the Access Control solution are evaluated in accordance with the following: government off the shelf products must be evaluated by the National Security Agency or a … (§ 3.4 ¶ AC34.010, DISA Access Control STIG, Version 2, Release 3)
  • The Information Assurance roles and responsibilities of service providers, government, and end users must be explicitly addressed in the outsourcing or acquisition of Information Technology services. (DCIT-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • A medical device manufacturer shall establish and maintain data clearly referencing or describing the requirements, including quality requirements, for purchased/received products and services. Purchasing documents shall include agreements that consultants, contractors, and suppliers will notify the… (§ 820.50(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Establishment of processes to evaluate and procure technology. (App A Objective 12:4b Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Development and acquisition, including secure development. (App A Objective 12:4 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine the extent of audit's participation in application development, acquisition, and testing, as part of the organization's process to ensure the effectiveness of internal controls. (TIER I OBJECTIVES AND PROCEDURES Objective 10, FFIEC IT Examination Handbook - Audit, April 2012)
  • The level and quality of oversight and support of systems development and acquisition activities by senior management and the board of directors; (TIER II OBJECTIVES AND PROCEDURES B.1 Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
  • The organization should distribute a request for proposals (RFP) to third parties. The RFP should define the functional, organizational, and system requirements. The vendor's proposal should address all of the requirements and other issues, such as compatibility of operating systems; delivery dates;… (Pg 40, Exam Obj 6.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • Does the Credit Union have a formal, written policy for how networked applications are approved, prioritized, acquired, developed, and maintained? (IT - Networks Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does management use a formal methodology for acquiring, developing, or maintaining new software or modified software? (IT - Networks Q 35, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • In addition to addressing cybersecurity risks throughout the supply chain and performing C-SCRM activities during each phase of the acquisition process, enterprises should develop and execute an acquisition strategy that drives reductions in their overall risk exposure. By applying such strategies, … (3.1. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Additional guidance for integrating C-SCRM into the acquisition process is provided in Appendix C, which demonstrates the enhanced overlay of C-SCRM into the [NIST SP 800-39] Risk Management Process. In addition, enterprises should refer to and follow the acquisition and procurement policies, regula… (3.1.2. ¶ 13, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Integrate C-SCRM considerations into every aspect of the system and product life cycle, and implement consistent, well-documented, repeatable processes for systems engineering, cybersecurity practices, and acquisition. (3.4.2. ¶ 1 Bullet 8, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • The C-SCRM Strategy and Implementation Plan should address the acquisition security-relevant foundational elements necessary to implement a C-SCRM program. To support the strategy, enterprise leaders should promote the value and importance of C-SCRM within acquisitions and ensure that sufficient, de… (3.1.1. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Participate in the acquisition process as necessary, following appropriate supply chain risk management practices. (T0276, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Participate in the acquisition process as necessary. (T0407, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify, assess, and recommend cybersecurity or cybersecurity-enabled products for use within a system and ensure that recommended products are in compliance with organization's evaluation and validation requirements. (T0119, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must develop and implement a smart grid Information System and services acquisition security policy. (SG.SA-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System and services acquisition security policy must include the objectives, roles, and responsibilities of the program. (SG.SA-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System and services acquisition security policy must include the scope of the program. (SG.SA-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, a formal, documented System and Services Acquisition policy that addresses purpose, roles, responsibilities, scope, management commitment, compliance, and coordination among entities. (App F § SA-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should ensure that the acquisition of third-party information services is approved by a management Authorizing Official. (App F § SA-9(1)(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, formal, documented procedures for implementing the System and Services Acquisition policy and its associated controls. (App F § SA-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should minimize the time between purchase decisions and the delivery of the systems, components, and Information Technology products. (App F § SA-12(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Identify, assess, and recommend cybersecurity or cybersecurity-enabled products for use within a system and ensure that recommended products are in compliance with organization's evaluation and validation requirements. (T0119, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Participate in the acquisition process as necessary. (T0407, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Participate in the acquisition process as necessary, following appropriate supply chain risk management practices. (T0276, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization requires that {organizationally documented security safeguards} allocated to {organizationally documented locations} are obtained from different suppliers. (PL-8(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires that {organizationally documented security safeguards} allocated to {organizationally documented architectural layers} are obtained from different suppliers. (PL-8(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (SA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls. (SA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets {organizationally documented mobile code requirements}. (SC-18(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (SA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls. (SA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (SA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls. (SA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (SA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls. (SA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires that [Assignment: organization-defined security safeguards] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. (PL-8(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization requires that [Assignment: organization-defined security safeguards] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. (PL-8(2) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • LEVERAGE FEDERAL PROCUREMENT TO IMPROVE ACCOUNTABILITY (STRATEGIC OBJECTIVE 3.5, National Cybersecurity Strategy)
  • LEVERAGE FEDERAL PROCUREMENT TO IMPROVE ACCOUNTABILITY (STRATEGIC OBJECTIVE 3.5, National Cybersecurity Strategy (Condensed))