Skip to main content

πŸ’Ό SA-4 Acquisition Process

Description​

Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: a. Security and privacy functional requirements; b. Strength of mechanism requirements; c. Security and privacy assurance requirements; d. Controls needed to satisfy the security and privacy requirements. e. Security and privacy documentation requirements; f. Requirements for protecting security and privacy documentation; g. Description of the system development environment and environment in which the system is intended to operate; h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and i. Acceptance criteria.

Similar​

  • Internal
    • ID: dec-c-e71cdc41

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SA-4 Acquisition Process (L)(M)(H)5
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SA-4 Acquisition Process (L)(M)(H)1
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events31
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities1
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles21
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities34
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use4

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό SA-4(1) Acquisition Process _ Functional Properties of Controls
πŸ’Ό SA-4(2) Acquisition Process _ Design and Implementation Information for Controls
πŸ’Ό SA-4(3) Acquisition Process _ Development Methods, Techniques, and Practices
πŸ’Ό SA-4(4) Acquisition Process _ Assignment of Components to Systems
πŸ’Ό SA-4(5) Acquisition Process _ System, Component, and Service Configurations
πŸ’Ό SA-4(6) Acquisition Process _ Use of Information Assurance Products
πŸ’Ό SA-4(7) Acquisition Process _ NIAP-approved Protection Profiles
πŸ’Ό SA-4(8) Acquisition Process _ Continuous Monitoring Plan for Controls
πŸ’Ό SA-4(9) Acquisition Process _ Functions, Ports, Protocols, and Services in Use
πŸ’Ό SA-4(10) Acquisition Process _ Use of Approved PIV Products
πŸ’Ό SA-4(11) Acquisition Process _ System of Records
πŸ’Ό SA-4(12) Acquisition Process _ Data Ownership