Navigate

SA-9(1)

SA-9(1): Risk Assessments / Organizational Approvals

The organization:

(a): Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and

(b): Ensures that the acquisition or outsourcing of dedicated information security services is approved by [organization-defined personnel or roles].

Supplemental

Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services.

CIA Levels
Confidentiality	unknown
Integrity	high
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SA-9(1).

Control	Description
CA-6	The organization: a: Assigns a senior-level executive or manager as the authorizing official for the information system; b: Ensures that the authorizing official authorizes the information system for processing before commencing operations; and c: Updates the security authorization [organization-defined frequency].
RA-3	The organization: a: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b: Documents risk assessment results in []; c: Reviews risk assessment results [organization-defined frequency]; d: Disseminates risk assessment results to [organization-defined personnel or roles]; and e: Updates the risk assessment [organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

Control

Description

CA-6

The organization:

a: Assigns a senior-level executive or manager as the authorizing official for the information system;

b: Ensures that the authorizing official authorizes the information system for processing before commencing operations; and

c: Updates the security authorization [organization-defined frequency].

RA-3

The organization:

a: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;

b: Documents risk assessment results in [];

c: Reviews risk assessment results [organization-defined frequency];

d: Disseminates risk assessment results to [organization-defined personnel or roles]; and

e: Updates the risk assessment [organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

Enhancements

The controls below (if any) add on to the requirements of SA-9(1).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-9(1).

CCI	Definition
CCI-003140	Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services.
CCI-003141	Verify that the acquisition or outsourcing of dedicated information security services is approved by organization-defined personnel or roles.
CCI-003142	Defines the personnel or roles authorized to approve the acquisition or outsourcing of dedicated information security services.