800-53|SA-4

Title

ACQUISITION PROCESS

Description

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

Supplemental

Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA.

Reference Item Details

Related: CM-6,PL-2,PS-7,SA-11,SA-12,SA-3,SA-5,SA-8

Category: SYSTEM AND SERVICES ACQUISITION

Family: SYSTEM AND SERVICES ACQUISITION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
GEN000000-AIX00020 - AIX Trusted Computing Base (TCB) software must be implemented.UnixDISA STIG AIX 6.1 v1r14
GEN000000-AIX00020 - AIX Trusted Computing Base (TCB) software must be implemented.UnixDISA STIG AIX 5.3 v1r2
MS.AAD.1.1v1 - Legacy authentication SHALL be blocked.microsoft_azureCISA SCuBA Microsoft 365 Entra ID v1.5.0
MS.AAD.2.1v1 - Users detected as high risk SHALL be blocked.microsoft_azureCISA SCuBA Microsoft 365 Entra ID v1.5.0
MS.AAD.2.2v1 - A notification SHOULD be sent to the administrator when high-risk users are detected.microsoft_azureCISA SCuBA Microsoft 365 Entra ID v1.5.0
MS.AAD.2.3v1 - Sign-ins detected as high risk SHALL be blocked.microsoft_azureCISA SCuBA Microsoft 365 Entra ID v1.5.0
MS.AAD.3.6v1 - Phishing-resistant MFA SHALL be required for highly privileged roles.microsoft_azureCISA SCuBA Microsoft 365 Entra ID v1.5.0
MS.AAD.3.7v1 - Managed devices SHOULD be required for authentication.microsoft_azureCISA SCuBA Microsoft 365 Entra ID v1.5.0
MS.AAD.3.8v1 - Managed Devices SHOULD be required to register MFA.microsoft_azureCISA SCuBA Microsoft 365 Entra ID v1.5.0
MS.AAD.8.3v1 - Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes.microsoft_azureCISA SCuBA Microsoft 365 Entra ID v1.5.0
MS.EXO.16.1v1 - At a minimum, the following alerts SHALL be enabled:microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.POWERPLATFORM.3.1v1 - Power Platform tenant isolation SHALL be enabled.microsoft_azureCISA SCuBA Microsoft 365 Power Platform v1.5.0
MS.TEAMS.1.2v1 - Anonymous users SHALL NOT be enabled to start meetings.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0