Back

Plan for acquiring facilities, technology, or services.


CONTROL ID
06892
CONTROL TYPE
Acquisition/Sale of Assets or Services
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Acquisition or sale of facilities, technology, and services, CC ID: 01123

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain acquisition notices., CC ID: 16682
  • Involve all stakeholders in the acquisition process., CC ID: 13169
  • Perform a due diligence assessment on bidding suppliers prior to acquiring assets., CC ID: 15714
  • Allocate sufficient resources to protect Information Systems during capital planning., CC ID: 01444
  • Establish, implement, and maintain system acquisition contracts., CC ID: 14758
  • Identify and include alternatives to meeting the security requirements when acquiring assets., CC ID: 01128
  • Conduct an acquisition feasibility study prior to acquiring assets., CC ID: 01129
  • Establish, implement, and maintain a product and services acquisition strategy., CC ID: 01133
  • Establish, implement, and maintain a product and services acquisition program., CC ID: 01136
  • Establish, implement, and maintain a software product acquisition methodology., CC ID: 01138
  • Establish and maintain a register of approved third parties, technologies and tools., CC ID: 06836
  • Promote joint acquisition of products or services., CC ID: 11453


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Acquiring the rooms and buildings (for the ICS area also the producing rooms must be taken into account) (§ 8.1 ¶ 5 Bullet 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The ICS area can be operated as an autonomous network. When acquiring network connections also the interfaces should be acquired (list of allowed and blocked interfaces). Also the Internet connection out of the ICS area should be acquired. Separation of the networks between the office area and the I… (§ 8.1.4 ¶ 7, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The organization should provide staff with clinical decision support tools as appropriate. (CORE - 28(b), URAC Health Utilization Management Standards, Version 6)
  • Define the responsibilities, relationships, authorities and performance criteria of project team members, and specify the basis for acquiring and assigning competent staff members and/or contractors to the project. The procurement of products and services required for each project should be planned … (PO10.8 Project Resources, CobiT, Version 4.1)
  • Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT goals will contribute to the enterprise's strategic objectives and related costs and risks. It should include how IT will support IT-enabled investment programmes, IT services and IT assets. IT should define how… (PO1.4 IT Strategic Plan, CobiT, Version 4.1)
  • facilities; and (§ 5.1 Guidance ¶ 1(c)(3), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. (A1.2, Trust Services Criteria)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • One or more process(es) used in procuring BES Cyber Systems that address the following, as applicable: (B. R1. 1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-1)
  • One or more process(es) used in procuring BES Cyber Systems, and their associated EACMS and PACS, that address the following, as applicable: (B. R1. 1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-2, Version 2)
  • Due diligence in research and selection of third-party service providers. (App A Objective 6.31.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should oversee outsourced operations through the following: - Appropriate due diligence in third-party research, selection, and relationship management. - Contractual assurances for security responsibilities, controls, and reporting. - Nondisclosure agreements regarding the institution'… (II.C.20 Oversight of Third-Party Service Providers, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., FedRAMP Security Controls High Baseline, Version 5)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., FedRAMP Security Controls Low Baseline, Version 5)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • When evaluating the choices, the ISCP Coordinator should consider that purchasing equipment when needed is cost-effective but can add significant overhead time to recovery while waiting for shipment and setup; conversely, storing unused equipment is costly, but allows recovery operations to begin mo… (§ 3.4.4 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Preserving and extending the open, free, global, interoperable, reliable, and secure Internet requires sustained engagement in standards development processes to instill our values and ensure that technical standards produce technologies that are more secure and resilient. As autocratic regimes seek… (STRATEGIC OBJECTIVE 4.1 ¶ 2, National Cybersecurity Strategy)