Navigate

CCI-003141

CCI-003141 Definition

The organization ensures that the acquisition or outsourcing of dedicated information security services is approved by organization-defined personnel or roles.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed ensures that the acquisition or outsourcing of dedicated information security services is approved by the DoD Component CIO or their delegate(s). The organization must maintain a record of approvals. DoD has defined the personnel or roles the DoD Component CIO or their delegate(s).

Validation Procedures

The organization conducting the inspection/assessment obtains and examines a list of acquired or outsourced information security services as well as the record of approvals to ensure the organization being inspected/assessed ensures that the acquisition or outsourcing of dedicated information security services is approved by the DoD Component CIO or their delegate(s). DoD has defined the personnel or roles the DoD Component CIO or their delegate(s).

Compelling Evidence

1.) System security plan (SSP) will define and document a record of personnel or roles authorized to approve the acquisition or outsourcing of dedicated information security services.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003141.

Control	Description
SA-9 (1)	The organization: SA-9 (1)(a): Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and SA-9 (1)(b): Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].