>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SA-1Policy And Procedures

>Control Description

The system and services acquisition policy and procedures should address C-SCRM throughout the acquisition management life cycle process, to include purchases made via charge cards. C-SCRM procurement actions and the resultant contracts should include requirements language or clauses that address which controls are mandatory or desirable and may include implementation specifications, state what is accepted as evidence that the requirement is satisfied, and how conformance to requirements will be verified and validated. C-SCRM should also be included as an evaluation factor. These applicable procurements should not be limited to those that are directly related to providing an ICT/OT product or service. While C-SCRM considerations must be applied to these purchases, C-SCRM should also be considered for any and all procurements of products or services in which there may be an unacceptable risk of a supplied product or service contractor compromising the integrity, availability, or confidentiality of an enterprise’s information. This initial assessment should occur during the acquisition planning phase and will be minimally informed by an identification and understanding of the criticality of the enterprise’s mission functions, its high value assets, and the sensitivity of the information that may be accessible by the supplied product or service provider. In addition, enterprises should develop policies and procedures that address supply chain risks that may arise during contract performance, such as a change of ownership or control of the business or when actionable information is learned that indicates that a supplier or a product is a target of a supply chain threat. Supply chains evolve continuously through mergers and acquisitions, joint ventures, and other partnership agreements. The policy should help enterprises understand these changes and use the obtained information to inform their C-SCRM activities. Enterprises can obtain the status of such changes through, for example, monitoring public announcements about company activities or any communications initiated by suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers. See Section 3 for further guidance on C-SCRM in the federal acquisition process. Additionally, Departments and agencies should refer to Appendix F to implement this guidance in accordance with Executive Order 14028 on Improving the Nation's Cybersecurity.

>Cross-Framework Mappings

SCF

TDA-01
Compare
GOV-03
Compare
TDA-06
Compare

Ask AI

Configure your API key to use AI features.