CCI-003198

The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers.

Implementation Guidance

The organization being inspected/assessed implements IAW the DoDI 5200.44 "Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN)” tailored acquisition strategies, contract tools, and procurement methods defined in SA-12 (1), CCI 3199 as a means to mitigate supply chain risk. The organization being inspected/assessed must maintain documentation tracing the strategies, tools, and methods implemented to the organization-defined strategies, tools, and methods.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines documentation tracing the strategies, tools, and methods implemented to the organization-defined strategies, tools, and methods to ensure that the tailored acquisition strategies, contract tools, and procurement methods identified in SA-12 (1), CCI 3199 have been implemented.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan showing strategies for procurement of Information System, system components or Services from suppliers.

The controls below (if any) were marked by NIST as being related to CCI-003198.