SA-01-727 System and Services Acquisition Policy and Procedures

System and Services Acquisition Policy and Procedures

Control ID

SA-01-727

Control Name

System and Services Acquisition Policy and Procedures

Control Category

Security Assessment and Authorization

Functional Areas

Protect

Sub-Areas

Enterprise Architecture, Roadmap and Emerging Technology

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

May 20, 2016

Agency Implementation

The chief information officer is responsible for ensuring that information resources expenditures from any funding source are efficient and serve to improve agency services. The chief information officer is also responsible for coordinating agency information resources purchases, regardless of the funding source.

The chief information officer and information resource owner shall determine information security requirements for an information resource as part of the planning process, as well as determine, document, and allocate resources required to protect the information resource as part of its capital planning and investment control process. Information resource owners shall include information security, security testing, and audit controls in all phases of the system development lifecycle or acquisition process. Information resource owners, in conjunction with responsible contracting personnel, shall include information security requirements and/or specifications in all information resource acquisition contracts based on an assessment of risk and in accordance with applicable laws and standards.

Risk Statement

Acquiring resources for IT is done inconsistently with unreasonable cost.

Control Description

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and b. Reviews and updates the current: 1. System and services acquisition policy [Assignment: organization-defined frequency]; and 2. System and services acquisition procedures [Assignment: organization-defined frequency].

Control Example

The organization has documented acquisition policies and procedures in place.

State Implementation

Security requirements shall be identified, documented, and addressed in all phases of development or acquisition of information resources.

Testing Procedures

Obtain system and services acquisition policy and procedures; other relevant documents or records and ascertain if: (I)the organization develops and documents system and services acquisition policy and procedures. (ii)the organization disseminates system and services acquisition policy and procedures to appropriate elements within the organization. (iii)responsible parties within the organization periodically review system and services acquisition policy and procedures. (iv)the organization updates system and services acquisition policy and procedures when organizational review indicates updates are required. (v)the system and services acquisition policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance (vi)the system and services acquisition policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and (vii)the system and services acquisition procedures address all areas identified in the system and services acquisition policy and address achieving policy-compliant implementations of all associated system and services acquisition controls.