Back

Acquire products or services.


CONTROL ID
11450
CONTROL TYPE
Acquisition/Sale of Assets or Services
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Acquisition or sale of facilities, technology, and services, CC ID: 01123

This Control has the following implementation support Control(s):
  • Acquire products through suppliers, as necessary., CC ID: 13171
  • Register new systems with the program office or other applicable stakeholder., CC ID: 13986
  • Refrain from accepting assets with questionable provenance., CC ID: 12194
  • Discourage the modification of vendor-supplied software., CC ID: 12016
  • Refuse acquisition of products or services absent acquisition approval., CC ID: 11451
  • Establish, implement, and maintain an anti-counterfeit program for acquiring new systems., CC ID: 10641


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • To facilitate continuous monitoring and analysis of cyber events; as well as prompt detection and response to cyber incidents, the FI should establish a security operations centre or acquire managed security services. The processes, roles and responsibilities for security operations should be define… (§ 12.2.1, Technology Risk Management Guidelines, January 2021)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. (A1.2, Trust Services Criteria)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • In-place monitoring equipment may be bought and operated to augment the Technical Surveillance Countermeasure support of highly sensitive projects or facilities within the constraints of this document, provided they are coordinated with the Technical Surveillance Countermeasure program manager. (§ 5.6, DoD Instruction 5240.5, DoD Technical Surveillance Countermeasures (TSCM) Survey Program, May 23, 1984)
  • Require that [Assignment: organization-defined controls] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. (PL-8(2) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Require that [Assignment: organization-defined controls] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. (PL-8(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)