CCI-004690
CCI-004690 Definition
| Status | |
| Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
Determine if: - controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using [SA-04_ODP[01]; one or more of the following PARAMETER VALUES is/are selected: {standardized contract language; [SA-04_ODP[02]; contract language is defined (if selected)]}] in the acquisition contract for the system, system component, or system service. - controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using [SA-04_ODP[01]; one or more of the following PARAMETER VALUES is/are selected: {standardized contract language; [SA-04_ODP[02]; contract language is defined (if selected)]}] in the acquisition contract for the system, system component, or system service.
Validation Procedures
Examine: [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process; configuration management plan; acquisition contracts for the system, system component, or system service; system design documentation; system security plan; supply chain risk management plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; organizational personnel with supply chain risk management responsibilities]. Test: [SELECT FROM: Organizational processes for determining system security and privacy functional, strength, and assurance requirements; organizational processes for developing acquisition contracts; mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts].