System and Services Acquisition (SA)
Implement the security design principle of performance security in [Assignment: organization-defined systems or system components].
System and Services Acquisition (SA)
Implement the security design principle of human factored security in [Assignment: organization-defined systems or system components].
System and Services Acquisition (SA)
Implement the security design principle of acceptable security in [Assignment: organization-defined systems or system components].
System and Services Acquisition (SA)
Implement the security design principle of repeatable and documented procedures in [Assignment: organization-defined systems or system components].
System and Services Acquisition (SA)
Implement the security design principle of procedural rigor in [Assignment: organization-defined systems or system components].
System and Services Acquisition (SA)
Implement the security design principle of secure system modification in [Assignment: organization-defined systems or system components].
System and Services Acquisition (SA)
Implement the security design principle of sufficient documentation in [Assignment: organization-defined systems or system components].
System and Services Acquisition (SA)
Implement the privacy principle of minimization using [Assignment: organization-defined processes].
System and Services Acquisition (SA)
Level N/A
a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; b. Define and document organizational oversight and user roles and responsibilities with regard to external system services; and c. Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [Assignment: organization-defined processes, methods, and techniques].
System and Services Acquisition (SA)
(a) Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and (b) Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
