Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/SA/Low

Template:Doc:NIST SP 800-53r3 Appendix F/SA-1

Determine if: (i) the organization develops and formally documents system services and acquisition policy; (ii) the organization system services and acquisition policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented system services and acquisition policy to elements within the organization having associated system services and acquisition roles and responsibilities; (iv) the organization develops and formally documents system services and acquisition procedures; (v) the organization system services and acquisition procedures facilitate implementation of the system and services acquisition policy and associated system services and acquisition controls; and (vi) the organization disseminates formal documented system services and acquisition procedures to elements within the organization having associated system services and acquisition roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities].

Determine if: (i) the organization defines the frequency of system services and acquisition policy reviews/updates; (ii) the organization reviews/updates system services and acquisition policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of system services and acquisition procedure reviews/updates; (iv) the organization reviews/updates system services and acquisition procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-2

Determine if: (i) the organization includes a determination of the information security requirements for the information system in mission/business process planning; (ii) the organization determines, documents, and allocates the resources required to protect the information system as part of its capital planning and investment control process; and (iii) the organization establishes a discrete line item for information security in organizational programming and budgeting documentation.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the allocation of resources to information security requirements; organizational programming and budgeting documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with capital planning and investment responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-3

Determine if: (i) the organization manages the information system using a system development life cycle methodology that includes information security considerations; (ii) the organization defines and documents information system security roles and responsibilities throughout the system development life cycle; and (iii) the organization identifies individuals having information system security roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security into the system development life cycle process; information system development life cycle documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information security and system life cycle development responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-4

Determine if the organization includes the following requirements and/or specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards: security functional requirements/specifications; security-related documentation requirements; and developmental and evaluation-related assurance requirements.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of information security requirements and/or security specifications into the acquisition process; acquisition contracts for information systems or services; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system security, acquisition, and contracting responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-5

Determine if: (i) the organization obtains, protects as required, and makes available to authorized personnel, administrator documentation for the information system that describes: secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; (ii) the organization obtains, protects as required, and makes available to authorized personnel, user documentation for the information system that describes: user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system; and (iii) the organization documents attempts to obtain information system documentation when such documentation is either unavailable or nonexistent.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing information system documentation; information system documentation including administrator and user guides; records documenting attempts to obtain unavailable or nonexistent information system documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system documentation responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-6

Determine if: (i) the organization uses software and associated documentation in accordance with contract agreements and copyright laws; (ii) the organization employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution; and (iii) the organization controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing software usage restrictions; site license documentation; list of software usage restrictions; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system administration responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-7

Determine if: (i) the organization identifies and documents (as appropriate) explicit rules to be enforced when governing the installation of software by users; and (ii) the organization (or information system) enforces explicit rules governing the installation of software by users.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing user installed software; list of rules governing user installed software; network traffic on the information system; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system administration responsibilities; organizational personnel operating, using, and/or maintaining the information system].

Test: [SELECT FROM: Enforcement of rules for user installed software on the information system; information system for prohibited software].

Template:Doc:NIST SP 800-53r3 Appendix F/SA-9

Determine if: (i) the organization requires that providers of external information system services comply with organizational information security requirements and employ appropriate security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; (ii) the organization defines and documents government oversight, and user roles and responsibilities with regard to external information system services; and (iii) the organization monitors security control compliance by external service providers.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing external information system services; acquisition contracts and service level agreements; organizational security requirements and security specifications for external provider services; security control assessment evidence from external providers of information system services; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; external providers of information system services].