compliance controls are associated with this Policy definition 'Obtain approvals for acquisitions and outsourcing' (92b94485-1c49-3350-9ada-dffe94f08e87)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SA-9(1) |
FedRAMP_High_R4_SA-9(1) |
FedRAMP High SA-9 (1) |
System And Services Acquisition |
Risk Assessments / Organizational Approvals |
Shared |
n/a |
The organization:
(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
(b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. |
link |
2 |
| FedRAMP_Moderate_R4 |
SA-9(1) |
FedRAMP_Moderate_R4_SA-9(1) |
FedRAMP Moderate SA-9 (1) |
System And Services Acquisition |
Risk Assessments / Organizational Approvals |
Shared |
n/a |
The organization:
(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
(b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. |
link |
2 |
| hipaa |
1422.05j2Organizational.3-05.j |
hipaa-1422.05j2Organizational.3-05.j |
1422.05j2Organizational.3-05.j |
14 Third Party Assurance |
1422.05j2Organizational.3-05.j 05.02 External Parties |
Shared |
n/a |
All security requirements resulting from work with external parties or internal controls are reflected by the agreement with the external party. |
|
6 |
| hipaa |
17120.10a3Organizational.5-10.a |
hipaa-17120.10a3Organizational.5-10.a |
17120.10a3Organizational.5-10.a |
17 Risk Management |
17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
The organization documents all existing outsourced information services and conducts an organizational assessment of risk prior to the acquisition or outsourcing of information services. |
|
10 |
| NIST_SP_800-53_R4 |
SA-9(1) |
NIST_SP_800-53_R4_SA-9(1) |
NIST SP 800-53 Rev. 4 SA-9 (1) |
System And Services Acquisition |
Risk Assessments / Organizational Approvals |
Shared |
n/a |
The organization:
(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
(b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. |
link |
2 |
| NIST_SP_800-53_R5 |
SA-9(1) |
NIST_SP_800-53_R5_SA-9(1) |
NIST SP 800-53 Rev. 5 SA-9 (1) |
System and Services Acquisition |
Risk Assessments and Organizational Approvals |
Shared |
n/a |
(a) Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and
(b) Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. |
link |
2 |