Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/SA

Template:Doc:NIST SP 800-53r3 Appendix F/SA-1

Determine if: (i) the organization develops and formally documents system services and acquisition policy; (ii) the organization system services and acquisition policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented system services and acquisition policy to elements within the organization having associated system services and acquisition roles and responsibilities; (iv) the organization develops and formally documents system services and acquisition procedures; (v) the organization system services and acquisition procedures facilitate implementation of the system and services acquisition policy and associated system services and acquisition controls; and (vi) the organization disseminates formal documented system services and acquisition procedures to elements within the organization having associated system services and acquisition roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities].

Determine if: (i) the organization defines the frequency of system services and acquisition policy reviews/updates; (ii) the organization reviews/updates system services and acquisition policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of system services and acquisition procedure reviews/updates; (iv) the organization reviews/updates system services and acquisition procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-2

Determine if: (i) the organization includes a determination of the information security requirements for the information system in mission/business process planning; (ii) the organization determines, documents, and allocates the resources required to protect the information system as part of its capital planning and investment control process; and (iii) the organization establishes a discrete line item for information security in organizational programming and budgeting documentation.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the allocation of resources to information security requirements; organizational programming and budgeting documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with capital planning and investment responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-3

Determine if: (i) the organization manages the information system using a system development life cycle methodology that includes information security considerations; (ii) the organization defines and documents information system security roles and responsibilities throughout the system development life cycle; and (iii) the organization identifies individuals having information system security roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security into the system development life cycle process; information system development life cycle documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information security and system life cycle development responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-4

Determine if the organization includes the following requirements and/or specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards: security functional requirements/specifications; security-related documentation requirements; and developmental and evaluation-related assurance requirements.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; acquisition contracts for information systems or services; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-4/1

Determine if the organization requires in acquisition documents that vendors/contractors provide information describing in the functional properties of the security controls to be employed within the information system, information system components, or information system services in sufficient detail to permit analysis and testing of the controls.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-4/2

Determine if the organization requires in acquisition documents that vendors/contractors provide information describing the design and implementation details of the security controls to be employed within the information system, information system components, or information system services (including functional interfaces among control components) in sufficient detail to permit analysis and testing of the controls.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-4/3

Determine if the organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development processes employ: state-of-the-practice software and security engineering methods; quality control processes; and validation techniques.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-4/4

Determine if: (i) the organization explicitly assigns each acquired information system component to an information system; and (ii) the owner of the system acknowledges each assignment of information system components to the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities; information system owner].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-4/5

Determine if: (i) the organization requires in acquisition documents that information system components are delivered in a secure, documented configuration; and (ii) the organization requires in acquisition documents that the secure configuration is the default configuration for any software reinstalls or upgrades.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-4/6

Determine if: (i) the organization employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and (ii) the organization ensures that these products have been evaluated and/or validated by the NSA or in accordance with NSA-approved procedures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-4/7

Determine if: (i) the organization limits the use of commercially-provided information technology products to those products that have been successfully evaluated against a validated U.S. Government Protection Profile for a specific technology type, if such a profile exists; (ii) the organization requires a commercially-provided information technology product to rely on cryptographic functionality to enforce its security policy when no U.S. Government Protection Profile exists for such a specific technology type; and (iii) the organization requires the use of a FIPS-validated, cryptographic module for a technology product that relies on cryptographic functionality to enforce its security policy when no U.S. Government Protection Profile exists for such a specific technology type.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-5

Determine if: (i) the organization obtains, protects as required, and makes available to authorized personnel, administrator documentation for the information system that describes: secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; (ii) the organization obtains, protects as required, and makes available to authorized personnel, user documentation for the information system that describes: user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system; and (iii) the organization documents attempts to obtain information system documentation when such documentation is either unavailable or nonexistent.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system documentation including administrator and user guides; records documenting attempts to obtain unavailable or nonexistent information system documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system documentation responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-5/1

Determine if the organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system design documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-5/2

Determine if the organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system design documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security documentation responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-5/3

Determine if the organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system design documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-5/4

Determine if the organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system design documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security documentation responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-5/5

Determine if the organization obtains, protects as required, and makes available to authorized personnel, the source code for the information system to permit analysis and testing.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system design documentation; information system source code documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-6

Determine if: (i) the organization uses software and associated documentation in accordance with contract agreements and copyright laws; (ii) the organization employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution; and (iii) the organization controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing software usage restrictions; site license documentation; list of software usage restrictions; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system administration responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-6/1

Determine if: (i) the organization prohibits the use of binary or machine executable code from sources with limited or no warranty without accompanying source code; (ii) the organization provides exceptions to the source code requirement only when no alternative solutions are available to support compelling mission/operational requirements; and (iii) the organization obtains express written consent of the authorizing official for exceptions to the source code requirement.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system administration responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-7

Determine if: (i) the organization identifies and documents (as appropriate) explicit rules to be enforced when governing the installation of software by users; and (ii) the organization (or information system) enforces explicit rules governing the installation of software by users.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing user installed software; list of rules governing user installed software; network traffic on the information system; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system administration responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Test: [SELECT FROM: Enforcement of rules for user installed software on the information system; information system for prohibited software].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-8

Determine if: (i) The organization applies information system security engineering principles in the specification of the information system; (ii) the organization applies information system security engineering principles in the design of the information system; (iii) the organization applies information system security engineering principles in the development of the information system; (iv) the organization applies information system security engineering principles in the implementation of the information system; and (v) the organization applies information system security engineering principles in the modification of the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing security engineering principles used in the development and implementation of the information system; information system design documentation; security requirements and security specifications for the information system; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system design, development, implementation, and modification responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-9

Determine if: (i) the organization requires that providers of external information system services comply with organizational information security requirements and employ appropriate security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; (ii) the organization defines and documents government oversight, and user roles and responsibilities with regard to external information system services; and (iii) the organization monitors security control compliance by external service providers.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing external information system services; acquisition contracts and service level agreements; organizational security requirements and security specifications for external provider services; security control assessment evidence from external providers of information system services; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; external providers of information system services].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-9/1

Determine if: (i) the organization conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; (ii) the organization defines the senior organizational official designated to approve the acquisition or outsourcing of dedicated information security services; and (iii) the designated senior organizational official approves the acquisition or outsourcing of dedicated information security services.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; risk assessment reports; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-10

Determine if the organization requires that information system developers/integrators: (i) perform configuration management during information system: design; development; implementation; and operation; (ii) manage and control changes to the information system during: design; development; implementation; and modification; (iii) implement only organization-approved changes; (iv) document approved changes to the information system; and (v) track security flaws and flaw resolution.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator configuration management; acquisition contracts and service level agreements; information system developer/integrator configuration management plan; security flaw tracking records; system change authorization records; other relevant documents or records].

Interview: [SELECT FROM: Organization personnel with information system security, acquisition, and contracting responsibilities; organization personnel with configuration management responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-10/1

Determine if the organization requires that information system developers/integrators provide an integrity check of software to facilitate organizational verification of software integrity after delivery.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator configuration management; acquisition contracts and service level agreements; information system developer/integrator configuration management plan; security flaw tracking records; system change authorization records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-10/2

Determine if the organization provides an alternative configuration management process with organizational personnel in the absence of a dedicated developer/integrator configuration management team.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator configuration management; acquisition contracts and service level agreements; information system configuration management plan; security flaw tracking records; system change authorization records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-11

Determine if the organization requires that information system developers/integrators, in consultation with associated security personnel (including security engineers): create and implement a security test and evaluation plan; implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process; and document the results of the security testing/evaluation and flaw remediation processes.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator security testing; acquisition contracts and service level agreements; information system developer/integrator security test plans; records of developer/integrator security testing results for the information system; security flaw tracking records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with developer security testing responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-11/1

Determine if: (i) the organization requires that information system developers/integrators employ code analysis tools to examine software for common flaws; and (ii) the organization requires that information system developers/integrators document the results of the analysis.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator security testing; acquisition contracts and service level agreements; information system developer/integrator security test plans; records of developer/integrator security testing results for the information system; security flaw tracking records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with developer security testing responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-11/2

Determine if the organization requires that information system developers/integrators perform a vulnerability analysis to document vulnerabilities, exploitation potential, and risk mitigations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator security testing; acquisition contracts and service level agreements; information system developer/integrator security test plans; records of developer/integrator security testing results for the information system; vulnerability scanning results; information system risk assessment report; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with developer security testing responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-11/3

Determine if: (i) the organization requires that information system developers/integrators create a security test and evaluation plan; and (ii) the organization requires that information system developers/integrators implement the plan under the witness of an independent verification and validation agent.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator security testing; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; security test and evaluation plan; security test and evaluation results report; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities; organizational personnel with developer security testing responsibilities; independent verification and validation agent].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-12

Determine if: (i) the organization defines the measures to be employed to protect against supply chain threats; and (ii) the organization protects against supply chain threats by employing organization-defined measures as part of a comprehensive, defense-in-breadth information security strategy.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; acquisition contracts and service level agreements; list of supply chain threats; list of measures to be taken against supply chain threats; information system development life cycle documentation; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-12/1

Determine if the organization purchases all anticipated information system components and spares in the initial acquisition.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-12/2

Determine if the organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system hardware, software, firmware, or services.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; due diligence reviews documentation; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with supply chain protection responsibilities; organizational personnel with information system security, acquisition, and contracting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-12/3

Determine if the organization uses trusted shipping and warehousing for: information systems; information system components; and information technology products.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with supply chain protection responsibilities; organizational personnel with information system security, acquisition, and contracting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-12/4

Determine if the organization employs a diverse set of suppliers for: information systems; information system components; information technology products; and information system services.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-12/5

Determine if the organization employs standard configurations for: information systems; information system components; and information technology products.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; configuration management policy; procedures addressing the baseline configuration of the information system; configuration management plan; information system design documentation; information system architecture and configuration documentation; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-12/6

Determine if the organization minimizes the time between purchase decisions and delivery of: information systems; information system components; and information technology products.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; shipment records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-12/7

Determine if the organization employs independent analysis and penetration testing against delivered: information systems; information system components; and information technology products.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; penetration testing records; security test and evaluation results reports; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-13

Determine if: (i) the organization defines the organization's level of trustworthiness; and (ii) the organization requires that the information system meet the organization-defined level of trustworthiness.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing security engineering principles used in the development and implementation of the information system; information system design documentation; security requirements and security specifications for the information system; penetration test and vulnerability scan reports; security test and evaluation results; authority to operate documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; information system authorizing official].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-14

Determine if: (i) the organization defines the critical information system components that require re-implementation; and (ii) the organization re-implements organization-defined critical information system components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; configuration management plan; list of critical information system components requiring re-implementation; configuration baseline for critical information system components; configuration management records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel implementing, operating, and/or maintaining the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-14/1

Determine if: (i) the organization identifies information system components for which alternative sourcing is not viable; (ii) the organization defines the measures to be employed to prevent critical security controls for information system components from being compromised; and (iii) the organization employs organization-defined measures to ensure that critical security controls for information system components are not compromised.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; information system design documentation; information system configuration settings and associated documentation; list of information system components; security requirements and security specifications for the information system; penetration test and vulnerability scan reports; security test and evaluation results; other relevant documents or records].