CCI-003099

Include the description of the system development environment and environment in which the system is intended to operate, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the information system, system component, or information system service.

Implementation Guidance

Determine if the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using [SA-04_ODP[01]; one or more of the following PARAMETER VALUES is/are selected: {standardized contract language; [SA-04_ODP[02]; contract language is defined (if selected)]}] in the acquisition contract for the system, system component, or system service.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process; configuration management plan; acquisition contracts for the system, system component, or system service; system design documentation; system security plan; supply chain risk management plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; organizational personnel with supply chain risk management responsibilities]. Test: [SELECT FROM: Organizational processes for determining system security and privacy functional, strength, and assurance requirements; organizational processes for developing acquisition contracts; mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts].

The controls below (if any) were marked by NIST as being related to CCI-003099.