Skip to main content

💼 SA-4 Acquisition Process

  • ID: /frameworks/nist-sp-800-53-r5/sa/04

Description​

Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: a. Security and privacy functional requirements; b. Strength of mechanism requirements; c. Security and privacy assurance requirements; d. Controls needed to satisfy the security and privacy requirements. e. Security and privacy documentation requirements; f. Requirements for protecting security and privacy documentation; g. Description of the system development environment and environment in which the system is intended to operate; h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and i. Acceptance criteria.

Similar​

  • Internal
    • ID: dec-c-e71cdc41

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 FedRAMP High Security Controls → 💼 SA-4 Acquisition Process (L)(M)(H)5no data
💼 FedRAMP Low Security Controls → 💼 SA-4 Acquisition Process (L)(M)(H)1no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events35no data
💼 NIST CSF v2.0 → 💼 GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third partiesno data
💼 NIST CSF v2.0 → 💼 GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationshipsno data
💼 NIST CSF v2.0 → 💼 GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship26no data
💼 NIST CSF v2.0 → 💼 GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities1no data
💼 NIST CSF v2.0 → 💼 GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycleno data
💼 NIST CSF v2.0 → 💼 GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement1no data
💼 NIST CSF v2.0 → 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles25no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities41no data
💼 NIST CSF v2.0 → 💼 ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use4no data

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 SA-4(1) Acquisition Process _ Functional Properties of Controlsno data
💼 SA-4(2) Acquisition Process _ Design and Implementation Information for Controlsno data
💼 SA-4(3) Acquisition Process _ Development Methods, Techniques, and Practicesno data
💼 SA-4(4) Acquisition Process _ Assignment of Components to Systemsno data
💼 SA-4(5) Acquisition Process _ System, Component, and Service Configurationsno data
💼 SA-4(6) Acquisition Process _ Use of Information Assurance Productsno data
💼 SA-4(7) Acquisition Process _ NIAP-approved Protection Profilesno data
💼 SA-4(8) Acquisition Process _ Continuous Monitoring Plan for Controlsno data
💼 SA-4(9) Acquisition Process _ Functions, Ports, Protocols, and Services in Useno data
💼 SA-4(10) Acquisition Process _ Use of Approved PIV Productsno data
💼 SA-4(11) Acquisition Process _ System of Recordsno data
💼 SA-4(12) Acquisition Process _ Data Ownershipno data