Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/SA/Moderate

Template:Doc:NIST SP 800-53r3 Appendix F/SA-1

Determine if: (i) the organization develops and formally documents system services and acquisition policy; (ii) the organization system services and acquisition policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented system services and acquisition policy to elements within the organization having associated system services and acquisition roles and responsibilities; (iv) the organization develops and formally documents system services and acquisition procedures; (v) the organization system services and acquisition procedures facilitate implementation of the system and services acquisition policy and associated system services and acquisition controls; and (vi) the organization disseminates formal documented system services and acquisition procedures to elements within the organization having associated system services and acquisition roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities].

Determine if: (i) the organization defines the frequency of system services and acquisition policy reviews/updates; (ii) the organization reviews/updates system services and acquisition policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of system services and acquisition procedure reviews/updates; (iv) the organization reviews/updates system services and acquisition procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-2

Determine if: (i) the organization includes a determination of the information security requirements for the information system in mission/business process planning; (ii) the organization determines, documents, and allocates the resources required to protect the information system as part of its capital planning and investment control process; and (iii) the organization establishes a discrete line item for information security in organizational programming and budgeting documentation.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the allocation of resources to information security requirements; organizational programming and budgeting documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with capital planning and investment responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-3

Determine if: (i) the organization manages the information system using a system development life cycle methodology that includes information security considerations; (ii) the organization defines and documents information system security roles and responsibilities throughout the system development life cycle; and (iii) the organization identifies individuals having information system security roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security into the system development life cycle process; information system development life cycle documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information security and system life cycle development responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-4

Determine if the organization includes the following requirements and/or specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards: security functional requirements/specifications; security-related documentation requirements; and developmental and evaluation-related assurance requirements.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; acquisition contracts for information systems or services; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-4/1

Determine if the organization requires in acquisition documents that vendors/contractors provide information describing in the functional properties of the security controls to be employed within the information system, information system components, or information system services in sufficient detail to permit analysis and testing of the controls.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-4/4

Determine if: (i) the organization explicitly assigns each acquired information system component to an information system; and (ii) the owner of the system acknowledges each assignment of information system components to the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for information systems or services; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities; information system owner].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-5

Determine if: (i) the organization obtains, protects as required, and makes available to authorized personnel, administrator documentation for the information system that describes: secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; (ii) the organization obtains, protects as required, and makes available to authorized personnel, user documentation for the information system that describes: user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system; and (iii) the organization documents attempts to obtain information system documentation when such documentation is either unavailable or nonexistent.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system documentation including administrator and user guides; records documenting attempts to obtain unavailable or nonexistent information system documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system documentation responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-5/1

Determine if the organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system design documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-5/3

Determine if the organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system design documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-6

Determine if: (i) the organization uses software and associated documentation in accordance with contract agreements and copyright laws; (ii) the organization employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution; and (iii) the organization controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing software usage restrictions; site license documentation; list of software usage restrictions; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system administration responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-7

Determine if: (i) the organization identifies and documents (as appropriate) explicit rules to be enforced when governing the installation of software by users; and (ii) the organization (or information system) enforces explicit rules governing the installation of software by users.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing user installed software; list of rules governing user installed software; network traffic on the information system; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system administration responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Test: [SELECT FROM: Enforcement of rules for user installed software on the information system; information system for prohibited software].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-8

Determine if: (i) The organization applies information system security engineering principles in the specification of the information system; (ii) the organization applies information system security engineering principles in the design of the information system; (iii) the organization applies information system security engineering principles in the development of the information system; (iv) the organization applies information system security engineering principles in the implementation of the information system; and (v) the organization applies information system security engineering principles in the modification of the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing security engineering principles used in the development and implementation of the information system; information system design documentation; security requirements and security specifications for the information system; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system design, development, implementation, and modification responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-9

Determine if: (i) the organization requires that providers of external information system services comply with organizational information security requirements and employ appropriate security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; (ii) the organization defines and documents government oversight, and user roles and responsibilities with regard to external information system services; and (iii) the organization monitors security control compliance by external service providers.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing external information system services; acquisition contracts and service level agreements; organizational security requirements and security specifications for external provider services; security control assessment evidence from external providers of information system services; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; external providers of information system services].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-10

Determine if the organization requires that information system developers/integrators: (i) perform configuration management during information system: design; development; implementation; and operation; (ii) manage and control changes to the information system during: design; development; implementation; and modification; (iii) implement only organization-approved changes; (iv) document approved changes to the information system; and (v) track security flaws and flaw resolution.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator configuration management; acquisition contracts and service level agreements; information system developer/integrator configuration management plan; security flaw tracking records; system change authorization records; other relevant documents or records].

Interview: [SELECT FROM: Organization personnel with information system security, acquisition, and contracting responsibilities; organization personnel with configuration management responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-11

Determine if the organization requires that information system developers/integrators, in consultation with associated security personnel (including security engineers): create and implement a security test and evaluation plan; implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process; and document the results of the security testing/evaluation and flaw remediation processes.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system developer/integrator security testing; acquisition contracts and service level agreements; information system developer/integrator security test plans; records of developer/integrator security testing results for the information system; security flaw tracking records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with developer security testing responsibilities].