πΌ SA-4 Acquisition Process
Descriptionβ
Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service:
a. Security and privacy functional requirements;
b. Strength of mechanism requirements;
c. Security and privacy assurance requirements;
d. Controls needed to satisfy the security and privacy requirements.
e. Security and privacy documentation requirements;
f. Requirements for protecting security and privacy documentation;
g. Description of the system development environment and environment in which the system is intended to operate;
h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and
i. Acceptance criteria.
Similarβ
Similar Sections (Give Policies To)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|
| πΌ FedRAMP High Security Controls β πΌ SA-4 Acquisition Process (L)(M)(H) | 5 | | | |
| πΌ FedRAMP Low Security Controls β πΌ SA-4 Acquisition Process (L)(M)(H) | 1 | | | |
| πΌ NIST CSF v2.0 β πΌ DE.CM-06: External service provider activities and services are monitored to find potentially adverse events | | | 27 | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship | | | 26 | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities | | | 1 | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle | | | | |
| πΌ NIST CSF v2.0 β πΌ GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement | | | | |
| πΌ NIST CSF v2.0 β πΌ ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles | | | 3 | |
| πΌ NIST CSF v2.0 β πΌ ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities | | | 24 | |
| πΌ NIST CSF v2.0 β πΌ ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use | | | | |
Sub Sectionsβ