Plan for acquiring facilities, technology, or services.
CONTROL ID 06892
CONTROL TYPE Acquisition/Sale of Assets or Services
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Acquisition or sale of facilities, technology, and services, CC ID: 01123
This Control has the following implementation support Control(s):
Establish, implement, and maintain acquisition notices., CC ID: 16682
Involve all stakeholders in the acquisition process., CC ID: 13169
Perform a due diligence assessment on bidding suppliers prior to acquiring assets., CC ID: 15714
Allocate sufficient resources to protect Information Systems during capital planning., CC ID: 01444
Establish, implement, and maintain system acquisition contracts., CC ID: 14758
Identify and include alternatives to meeting the security requirements when acquiring assets., CC ID: 01128
Conduct an acquisition feasibility study prior to acquiring assets., CC ID: 01129
Establish, implement, and maintain a product and services acquisition strategy., CC ID: 01133
Establish, implement, and maintain a product and services acquisition program., CC ID: 01136
Establish, implement, and maintain a software product acquisition methodology., CC ID: 01138
Establish and maintain a register of approved third parties, technologies and tools., CC ID: 06836
Promote joint acquisition of products or services., CC ID: 11453
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Acquiring the rooms and buildings (for the ICS area also the producing rooms must be taken into account) (§ 8.1 ¶ 5 Bullet 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
The ICS area can be operated as an autonomous network. When acquiring network connections also the interfaces should be acquired (list of allowed and blocked interfaces). Also the Internet connection out of the ICS area should be acquired. Separation of the networks between the office area and the I… (§ 8.1.4 ¶ 7, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
The organization should provide staff with clinical decision support tools as appropriate. (CORE - 28(b), URAC Health Utilization Management Standards, Version 6)
Define the responsibilities, relationships, authorities and performance criteria of project team members, and specify the basis for acquiring and assigning competent staff members and/or contractors to the project. The procurement of products and services required for each project should be planned … (PO10.8 Project Resources, CobiT, Version 4.1)
Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT goals will contribute to the enterprise's strategic objectives and related costs and risks. It should include how IT will support IT-enabled investment programmes, IT services and IT assets. IT should define how… (PO1.4 IT Strategic Plan, CobiT, Version 4.1)
facilities; and (§ 5.1 Guidance ¶ 1(c)(3), ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. (A1.2, Trust Services Criteria)
The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
One or more process(es) used in procuring BES Cyber Systems that address the following, as applicable: (B. R1. 1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-1)
One or more process(es) used in procuring BES Cyber Systems, and their associated EACMS and PACS, that address the following, as applicable: (B. R1. 1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-2, Version 2)
Due diligence in research and selection of third-party service providers. (App A Objective 6.31.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Management should oversee outsourced operations through the following: - Appropriate due diligence in third-party research, selection, and relationship management.
- Contractual assurances for security responsibilities, controls, and reporting.
- Nondisclosure agreements regarding the institution'… (II.C.20 Oversight of Third-Party Service Providers, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., FedRAMP Security Controls High Baseline, Version 5)
Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., FedRAMP Security Controls Low Baseline, Version 5)
Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., FedRAMP Security Controls Moderate Baseline, Version 5)
Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
When evaluating the choices, the ISCP Coordinator should consider that purchasing equipment when needed is cost-effective but can add significant overhead time to recovery while waiting for shipment and setup; conversely, storing unused equipment is costly, but allows recovery operations to begin mo… (§ 3.4.4 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Preserving and extending the open, free, global, interoperable, reliable, and secure Internet requires sustained engagement in standards development processes to instill our values and ensure that technical standards produce technologies that are more secure and resilient. As autocratic regimes seek… (STRATEGIC OBJECTIVE 4.1 ¶ 2, National Cybersecurity Strategy)