CCI-003098

The organization includes requirements for protecting security-related documentation, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

Implementation Guidance

The organization being inspected/assessed documents within contracts/agreements for the information system, system component, or information system service, requirements for protecting security-related documentation, explicitly or by reference.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed includes requirements for protecting security-related documentation, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

Compelling Evidence

1.) Acquisition contract includes procedures for protecting security-related documentation and documents its compliance with laws and regulations, as well as organizational mission/business needs.

The controls below (if any) were marked by NIST as being related to CCI-003098.