NIST SP 800-53Ar1 Assessment Procedure Catalog, with SP 800-53r3 Security Controls
SYSTEM AND SERVICES ACQUISITION
SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES
FAMILY: SYSTEM AND SERVICES ACQUISITION
|
CLASS: MANAGEMENT
|
- Security Control Baseline:
SA-1
|
System and Services Acquisition Policy and Procedures
|
P1
|
LOW SA-1
|
MOD SA-1
|
HIGH SA-1
|
ASSESSMENT PROCEDURE
|
SA-1 |
SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES
|
SA-1.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization develops and formally documents system services and acquisition policy;
- (ii) the organization system services and acquisition policy addresses:
- (iii) the organization disseminates formal documented system services and acquisition policy to elements within the organization having associated system services and acquisition roles and responsibilities;
- (iv) the organization develops and formally documents system services and acquisition procedures;
- (v) the organization system services and acquisition procedures facilitate implementation of the system and services acquisition policy and associated system services and acquisition controls; and
- (vi) the organization disseminates formal documented system services and acquisition procedures to elements within the organization having associated system services and acquisition roles and responsibilities.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and services acquisition policy and procedures; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities].
|
SA-1.2 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization defines the frequency of system services and acquisition policy reviews/updates;
- (ii) the organization reviews/updates system services and acquisition policy in accordance with organization-defined frequency; and
- (iii) the organization defines the frequency of system services and acquisition procedure reviews/updates;
- (iv) the organization reviews/updates system services and acquisition procedures in accordance with organization-defined frequency.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and services acquisition policy and procedures; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities].
|
SA-2 ALLOCATION OF RESOURCES
FAMILY: SYSTEM AND SERVICES ACQUISITION
|
CLASS: MANAGEMENT
|
- Security Control Baseline:
SA-2
|
Allocation of Resources
|
P1
|
LOW SA-2
|
MOD SA-2
|
HIGH SA-2
|
ASSESSMENT PROCEDURE
|
SA-2 |
ALLOCATION OF RESOURCES
|
SA-2.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization includes a determination of the information security requirements for the information system in mission/business process planning;
- (ii) the organization determines, documents, and allocates the resources required to protect the information system as part of its capital planning and investment control process; and
- (iii) the organization establishes a discrete line item for information security in organizational programming and budgeting documentation.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the allocation of resources to information security requirements; organizational programming and budgeting documentation; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with capital planning and investment responsibilities].
|
SA-3 LIFE CYCLE SUPPORT
FAMILY: SYSTEM AND SERVICES ACQUISITION
|
CLASS: MANAGEMENT
|
- Security Control Baseline:
SA-3
|
Life Cycle Support
|
P1
|
LOW SA-3
|
MOD SA-3
|
HIGH SA-3
|
ASSESSMENT PROCEDURE
|
SA-3 |
LIFE CYCLE SUPPORT
|
SA-3.1 |
ASSESSMENT OBJECTIVE:
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security into the system development life cycle process; information system development life cycle documentation; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with information security and system life cycle development responsibilities].
|
SA-4 ACQUISITIONS
FAMILY: SYSTEM AND SERVICES ACQUISITION
|
CLASS: MANAGEMENT
|
- Security Control Baseline:
SA-4
|
Acquisitions
|
P1
|
LOW SA-4
|
MOD SA-4 (1) (4)
|
HIGH SA-4 (1) (2) (4)
|
ASSESSMENT PROCEDURE
|
SA-4 |
ACQUISITIONS
|
SA-4.1 |
ASSESSMENT OBJECTIVE:
Determine if the organization includes the following requirements and/or specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards:
- security functional requirements/specifications;
- security-related documentation requirements; and
- developmental and evaluation-related assurance requirements.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; acquisition contracts for information systems or services; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities].
|
SA-5 INFORMATION SYSTEM DOCUMENTATION
FAMILY: SYSTEM AND SERVICES ACQUISITION
|
CLASS: MANAGEMENT
|
- Security Control Baseline:
SA-5
|
Information System Documentation
|
P2
|
LOW SA-5
|
MOD SA-5 (1) (3)
|
HIGH SA-5 (1) (2) (3)
|
ASSESSMENT PROCEDURE
|
SA-5 |
INFORMATION SYSTEM DOCUMENTATION
|
SA-5.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization obtains, protects as required, and makes available to authorized personnel, administrator documentation for the information system that describes:
- secure configuration, installation, and operation of the information system;
- effective use and maintenance of the security features/functions; and
- known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
- (ii) the organization obtains, protects as required, and makes available to authorized personnel, user documentation for the information system that describes:
- user-accessible security features/functions and how to effectively use those security features/functions;
- methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and
- user responsibilities in maintaining the security of the information and information system; and
- (iii) the organization documents attempts to obtain information system documentation when such documentation is either unavailable or nonexistent.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system documentation including administrator and user guides; records documenting attempts to obtain unavailable or nonexistent information system documentation; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with information system documentation responsibilities; organizational personnel operating, using, and/or maintaining the information system].
|
SA-6 SOFTWARE USAGE RESTRICTIONS
FAMILY: SYSTEM AND SERVICES ACQUISITION
|
CLASS: MANAGEMENT
|
- Security Control Baseline:
SA-6
|
Software Usage Restrictions
|
P1
|
LOW SA-6
|
MOD SA-6
|
HIGH SA-6
|
ASSESSMENT PROCEDURE
|
SA-6 |
SOFTWARE USAGE RESTRICTIONS
|
SA-6.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization uses software and associated documentation in accordance with contract agreements and copyright laws;
- (ii) the organization employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution; and
- (iii) the organization controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and services acquisition policy; procedures addressing software usage restrictions; site license documentation; list of software usage restrictions; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with information system administration responsibilities; organizational personnel operating, using, and/or maintaining the information system].
|
SA-7 USER-INSTALLED SOFTWARE
FAMILY: SYSTEM AND SERVICES ACQUISITION
|
CLASS: MANAGEMENT
|
- Security Control Baseline:
SA-7
|
User-Installed Software
|
P1
|
LOW SA-7
|
MOD SA-7
|
HIGH SA-7
|
ASSESSMENT PROCEDURE
|
SA-7 |
USER-INSTALLED SOFTWARE
|
SA-7.1 |
ASSESSMENT OBJECTIVE:
Determine if:
- (i) the organization identifies and documents (as appropriate) explicit rules to be enforced when governing the installation of software by users; and
- (ii) the organization (or information system) enforces explicit rules governing the installation of software by users.
|
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and services acquisition policy; procedures addressing user installed software; list of rules governing user installed software; network traffic on the information system; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with information system administration responsibilities; organizational personnel operating, using, and/or maintaining the information system].
- Test: [SELECT FROM: Enforcement of rules for user installed software on the information system; information system for prohibited software].
|
SA-9 EXTERNAL INFORMATION SYSTEM SERVICES
FAMILY: SYSTEM AND SERVICES ACQUISITION
|
CLASS: MANAGEMENT
|
- Security Control Baseline:
SA-9
|
External Information System Services
|
P1
|
LOW SA-9
|
MOD SA-9
|
HIGH SA-9
|
ASSESSMENT PROCEDURE
|
SA-9 |
EXTERNAL INFORMATION SYSTEM SERVICES
|
SA-9.1 |
ASSESSMENT OBJECTIVE:
- POTENTIAL ASSESSMENT METHODS AND OBJECTS:
- Examine: [SELECT FROM: System and services acquisition policy; procedures addressing external information system services; acquisition contracts and service level agreements; organizational security requirements and security specifications for external provider services; security control assessment evidence from external providers of information system services; other relevant documents or records].
- Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; external providers of information system services].
|
Source