Navigate

CCI-003140

CCI-003140 Definition

The organization conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a process to conduct an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services. The organization must maintain a record of risk assessment.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines a list of acquired or outsourced information security services and the record of risk assessment to ensure the organization being inspected/assessed conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services.

Compelling Evidence

1.) System security plan (SSP) will define and document a record of risk assessment prior to the acquisition or outsourcing of dedicated information security services.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003140.

Control	Description
SA-9 (1)	The organization: SA-9 (1)(a): Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and SA-9 (1)(b): Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].