CCI-003199

The organization defines tailored acquisition strategies, contract tools, and procurement methods to employ for the purchase of the information system, system component, or information system service from suppliers.

Implementation Guidance

The organization being inspected/assessed defines and documents the tailored acquisition strategies, contract tools, and procurement methods IAW DoDI 5200.44, "Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN)." Examples include: 1. Transferring a portion of the risk to the developer or supplier through the use of contract language and incentives; 2. Using contract language that requires the implementation of SCRM throughout the system lifecycle in applicable contracts and other acquisition and assistance instruments (grants, cooperative agreements, Cooperative Research and Development Agreements (CRADAs),and other transactions) examples include: a. Language outlined in the Defense Acquisition Guidebook section 13.13. Contracting; b. Language requiring the use of protected mechanisms to deliver elements and data about elements, processes, and delivery mechanisms; c. Language that articulates that requirements flow down supply chain tiers to sub-prime suppliers. 3. Incentives for suppliers that: a. Implement required security safeguards and SCRM best practices; b. Promote transparency into their organizational processes and security practices; c. Provide additional vetting of the processes and security practices of subordinate suppliers, critical information system components, and services; and d. Implement contract to reduce SC risk down the contract stack. 4. Gaining insight into supplier security practices; 5. Using contract language and incentives to enable more robust risk management later in the lifecycle; 6. Using a centralized intermediary or “Blind Buy” approaches to acquire element(s) to hide actual usage locations from an untrustworthy supplier or adversary; 7. Exercise the authorities provided in section 806 of the 2011 NDAA, through Public Law 111-383 referenced in the Defense Federal Acquisition Regulation Supplement (DFAR); interim rule part 252.239-7018 Supply Chain Risk. DoD has determined the tailored acquisition strategies, contract tools, and procurement methods are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documentation containing the tailored acquisition strategies, contract tools, and procurement methods to ensure they have been defined IAW DoDI 5200.44, "Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN)." DoD has determined the tailored acquisition strategies, contract tools, and procurement methods are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan showing strategies for procurement of Information System, system components or Services from suppliers.

The controls below (if any) were marked by NIST as being related to CCI-003199.