SA-04-727 Acquisition Process

Acquisition Process

SA-04-727
Acquisition Process
Security Assessment and Authorization
Protect
Secure System Services, Acquisition and Development
LOW, MOD, HIGH
P1
Yes
May 20, 2016
Information resource owners, in conjunction with responsible contracting personnel, shall include information security requirements and/or specifications in all information resource acquisition contracts based on an assessment of risk and in accordance with applicable laws and standards.
The organization's interests are not protected in IT acquisition contractual agreements.
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: a. Security functional requirements; b. Security strength requirements; c. Security assurance requirements; d. Security-related documentation requirements; e. Requirements for protecting security-related documentation; f. Description of the information system development environment and environment in which the system is intended to operate; and g. Acceptance criteria.
The organization includes security requirements in contracts for acquisition of information systems.
The state organization includes security requirements and/or security specifications, either explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable laws and standards.
Obtain system and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; NIST Special Publications 800-23 and 800-70; acquisition documentation; acquisition contracts for information systems or services; solicitation documents; other relevant documents or records and ascertain if : (I)the organization includes in acquisition contracts for information systems, either explicitly or by reference, security requirements and/or security specifications based on an assessment of risk and in accordance with applicable laws, Executive Orders, directives, policies, regulations, and standards that describe required: -security capabilities. -design and development processes. -test and evaluation procedures. -documentation. (ii)the organization includes in acquisition contracts, requirements for information system documentation addressing user and systems administrator guidance and information regarding the implementation of the security controls in the system and at a level of detail based on the FIPS 199 security category for the system. (iii)the organization includes in acquisition contracts requirements for information system documentation that includes security configuration settings and security implementation guidance. (iv)the organization requires in solicitation documents that appropriate documentation be provided describing the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls. (v) the organization explicitly assigns each acquired information system component to an information system. (Vi) the owner of the system acknowledges each assignment of information system components to the information system.