Back

Acquire products or services.


CONTROL ID
11450
CONTROL TYPE
Acquisition/Sale of Assets or Services
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Acquisition or sale of facilities, technology, and services, CC ID: 01123

This Control has the following implementation support Control(s):
  • Acquire products through suppliers, as necessary., CC ID: 13171
  • Register new systems with the program office or other applicable stakeholder., CC ID: 13986
  • Refrain from accepting assets with questionable provenance., CC ID: 12194
  • Discourage the modification of vendor-supplied software., CC ID: 12016
  • Refuse acquisition of products or services absent acquisition approval., CC ID: 11451
  • Establish, implement, and maintain an anti-counterfeit program for acquiring new systems., CC ID: 10641


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • To facilitate continuous monitoring and analysis of cyber events; as well as prompt detection and response to cyber incidents, the FI should establish a security operations centre or acquire managed security services. The processes, roles and responsibilities for security operations should be define… (§ 12.2.1, Technology Risk Management Guidelines, January 2021)
  • If procuring an evaluated product, a product that has completed a PP-based evaluation, including against all applicable PP modules, is selected in preference to one that has completed an EAL-based evaluation. (Control: ISM-0280; Revision: 8, Australian Government Information Security Manual, June 2023)
  • If procuring an evaluated product, a product that has completed a PP-based evaluation, including against all applicable PP modules, is selected in preference to one that has completed an EAL-based evaluation. (Control: ISM-0280; Revision: 8, Australian Government Information Security Manual, September 2023)
  • Seek at least three (3) quotes from the list of available assessors at cyber.gov.au. (39.a., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • It must not be forgotten to also acquire virtualised applications within the scope of structure analysis. (§ 8.1.3 ¶ 10, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Often, production and manufacturing uses a number of other devices in addition to IT systems. All ICS devices should be acquired correspondingly. (§ 8.1.6 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Acquire external connections and document them in tabular or graphical form (§ 8.2.8 Subsection 2 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. (A1.2, Trust Services Criteria)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • In-place monitoring equipment may be bought and operated to augment the Technical Surveillance Countermeasure support of highly sensitive projects or facilities within the constraints of this document, provided they are coordinated with the Technical Surveillance Countermeasure program manager. (§ 5.6, DoD Instruction 5240.5, DoD Technical Surveillance Countermeasures (TSCM) Survey Program, May 23, 1984)
  • Require that [Assignment: organization-defined controls] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. (PL-8(2) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Require that [Assignment: organization-defined controls] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. (PL-8(2) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Require that [Assignment: organization-defined controls] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. (PL-8(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Require that [Assignment: organization-defined controls] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. (PL-8(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)