>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SA-2Allocation of Resources

LI-SaaS
Low
Moderate
High

>Control Description

a

Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;

b

Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and

c

Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle.

>Cross-Framework Mappings

SCF

PRM-03
Compare

>Programmatic Queries

Beta

Related Services

AWS Budgets
AWS Cost Explorer
AWS Service Quotas

CLI Commands

List all budgets
aws budgets describe-budgets --account-id ACCOUNT_ID
Get cost and usage data
aws ce get-cost-and-usage --time-period Start=2024-01-01,End=2024-01-31 --granularity MONTHLY --metrics BlendedCost
List service quotas
aws service-quotas list-service-quotas --service-code ec2
Create a budget for resource allocation
aws budgets create-budget --account-id ACCOUNT_ID --budget file://budget.json
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What acquisition policies and procedures address the requirements of SA-2?
  • How are security and privacy requirements integrated into the acquisition process?
  • Who is responsible for ensuring that acquisitions comply with SA-2?
  • How is security integrated throughout your system development lifecycle (SDLC)?

Technical Implementation:

  • How are security requirements defined and documented in acquisition contracts?
  • What mechanisms ensure that acquired systems and services meet security requirements?
  • How do you validate that vendors and service providers comply with specified security controls?
  • What security practices are required at each phase of the SDLC?

Evidence & Documentation:

  • Can you provide examples of acquisition documentation that includes security requirements?
  • What evidence demonstrates that acquired systems meet security specifications?
  • Where is acquisition security documentation maintained throughout the system lifecycle?
  • Can you show evidence of security activities performed during development?

Ask AI

Configure your API key to use AI features.