Assignment System and Services Acquisition (Case Study)

Seven StepsIntroduction:

It’s critical for the company to convey its information security requests with transparency and specificity when obtaining systems, parts, and services necessary for business success. After reviewing current information system security controls, we have determined that there is a need to overhaul current practice by implementing a new set of security tools necessary to help meet or exceed current and future industry regulatory standards.


Overall, we have discovered that the company has taken the necessary steps to securing the Global Supply Chain (GSC) system with existing policy. GSC is responsible for the company’s supplier selection and contracting. All contracts with suppliers must include language that adequately addresses high-risk areas identified in the Working With Suppliers Policy (WWS Policy) maintained by the company’s legal deptartment.

We’ve discovered opportunities for enhancing security control protocols in regards to supply auditing and contingency planning competencies. Opportunities for improvement in these areas have been previously documented by a plan of action and milestone as a result of previous attempts to make improvements within these areas.


We recommend establishing an enterprise system and services acquisition policy based around the NIST.SP.800-53 rev. 4 “System and Services Acquisition” (SA Family) of control mechanisms for accessing risk with dealing with third party provider services and products. The establishment of security controls as outlined by NIST’s system and services acquisition policy and procedures is instrumental in providing an effective implementation of  policy and procedures that reflect applicable directives, regulations, standards, policies, federal laws, executive orders, and overall general guidance.

NIST.SP.800-53 rev. 4 “System and Services Acquisition” (SA Family) provides the necessary framework from which to work by ensuring organizations have the proper control mechanisms in place. The security controls provided by NIST.SP.800-53 rev. 4 will address requirements for developing information systems and associated products and services for dealing with third party vendors.

22 NIST.SP.800-53 rev.4 system and service acquisition family of controls listed below are under consideration:

  1. (SA-1) System and Services Acquisition Policy and Procedures
  2. (SA-2) Allocation of Resources
  3. (SA-3) System Development Lifecycle
  4. (SA-4) Acquisition Process
  5. (SA-5) Information System Documentation
  6. (SA-6) Software Usage Restrictions
  7. (SA-7) User-Installed Software
  8. (SA-8) Security Engineering Principles
  9. (SA-9) External Information System Services
  10. (SA-10) Developer Configuration Management
  11. (SA-11) Developer Security Testing and Evaluation
  12. (SA-12) Supply Chain Protection
  13. (SA-13) Trustworthiness
  14. (SA-14) Criticality Analysis
  15. (SA-15) Development Process, Standards, and Tools
  16. (SA-16) Developer-Provided Training
  17. (SA-17) Developer Architecture and Design
  18. (SA-18) Tamper Resistance and Detection
  19. (SA-19) Component Authenticity
  20. (SA-20) Customized Development of Critical Components
  21. (SA-21) Developer Screening
  22. (SA-22) Unsupported System Components

The company’s new Information Security policy will serve to provide the necessary components inline with best practices associated with organizational information security management. These new security controls will serve to establish new methods used to evaluate third party supplier services that host the company’s information in addition to third party products that are acquired to process the company’s information.


National Vulnerability Database. (2016, September). NIST Special Publication 800-53 (Rev. 4). Retrieved September, 2016, from



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.