← Back to catalog
SA-9(1)
Risk Assessments and Organizational Approvals
System and Services Acquisition (SA)
Baselines
Low · Not includedModerate · Not includedHigh · Not included
Description
Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and Verify that the acquisition or outsourcing of dedicated information security services is approved by [assignment].
Discussion
Information security services include the operation of security devices, such as firewalls or key management services as well as incident monitoring, analysis, and response. Risks assessed can include system, mission or business, security, privacy, or supply chain risks.
Implementation guidance
No content available.
CSF 2.0 crosswalk
No CSF mappings exist for this control.