System and Services Acquisition
NIST SP 800-53 Rev 5 System and Services Acquisition controls.
Policy and Procedures
Develop, document, and disseminate to [parameter]:
Allocation of Resources
Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;
System Development Life Cycle
Acquire, develop, and manage the system using [parameter] that incorporates information security and privacy considerations;
Acquisition Process
Include the following requirements, descriptions, and criteria, explicitly or by reference, using [parameter] in the acquisition contract for the system, system component, or system service:
System Documentation
Obtain or develop administrator documentation for the system, system component, or system service that describes:
Software Usage Restrictions
Software Usage Restrictions
User-installed Software
User-installed Software
Security and Privacy Engineering Principles
Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [parameter].
External System Services
Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [parameter];
Developer Configuration Management
Require the developer of the system, system component, or system service to:
Developer Testing and Evaluation
Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:
Supply Chain Protection
Supply Chain Protection
Trustworthiness
Trustworthiness
Criticality Analysis
Criticality Analysis
Development Process, Standards, and Tools
Require the developer of the system, system component, or system service to follow a documented development process that:
Developer-provided Training
Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: [parameter].
Developer Security and Privacy Architecture and Design
Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:
Tamper Resistance and Detection
Tamper Resistance and Detection
Component Authenticity
Component Authenticity
Customized Development of Critical Components
Reimplement or custom develop the following critical system components: [parameter].
Developer Screening
Require that the developer of [parameter]:
Unsupported System Components
Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or
Specialization
Employ [parameter] on [parameter] supporting mission essential services or functions to increase the trustworthiness in those systems or components.
Design For Cyber Resiliency
Design organizational systems, system components, or system services to achieve cyber resiliency by: