SA-01-727 System and Services Acquisition Policy and Procedures

System and Services Acquisition Policy and Procedures

SA-01-727
System and Services Acquisition Policy and Procedures
Security Assessment and Authorization
Protect
Enterprise Architecture, Roadmap and Emerging Technology
LOW, MOD, HIGH
P1
Yes
May 20, 2016

The chief information officer is responsible for ensuring that information resources expenditures from any funding source are efficient and serve to improve agency services. The chief information officer is also responsible for coordinating agency information resources purchases, regardless of the funding source.

The chief information officer and information resource owner shall determine information security requirements for an information resource as part of the planning process, as well as determine, document, and allocate resources required to protect the information resource as part of its capital planning and investment control process. Information resource owners shall include information security, security testing, and audit controls in all phases of the system development lifecycle or acquisition process. Information resource owners, in conjunction with responsible contracting personnel, shall include information security requirements and/or specifications in all information resource acquisition contracts based on an assessment of risk and in accordance with applicable laws and standards.

Acquiring resources for IT is done inconsistently with unreasonable cost.
The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and b. Reviews and updates the current: 1. System and services acquisition policy [Assignment: organization-defined frequency]; and 2. System and services acquisition procedures [Assignment: organization-defined frequency].
The organization has documented acquisition policies and procedures in place.
Security requirements shall be identified, documented, and addressed in all phases of development or acquisition of information resources.
Obtain system and services acquisition policy and procedures; other relevant documents or records and ascertain if: (I)the organization develops and documents system and services acquisition policy and procedures. (ii)the organization disseminates system and services acquisition policy and procedures to appropriate elements within the organization. (iii)responsible parties within the organization periodically review system and services acquisition policy and procedures. (iv)the organization updates system and services acquisition policy and procedures when organizational review indicates updates are required. (v)the system and services acquisition policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance (vi)the system and services acquisition policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and (vii)the system and services acquisition procedures address all areas identified in the system and services acquisition policy and address achieving policy-compliant implementations of all associated system and services acquisition controls.