SA-9(1): Risk Assessments / Organizational Approvals

Control Family:

System And Services Acquisition

Parent Control:

SA-9: External Information System Services

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

ID.AM-4
ID.SC-1
ID.SC-3
ID.SC-4
PR.AT-3
DE.CM-6

Baselines:

(Not part of any baseline)

Next Version:

NIST Special Publication 800-53 Revision 5:
SA-9(1): Risk Assessments and Organizational Approvals

Control Statement

The organization:

Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].

Supplemental Guidance

Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services.