SA-4(12): Data Ownership

Control Family:

System and Services Acquisition

Parent Control:

SA-4: Acquisition Process

CSF v1.1 References:

ID.SC-3
PR.IP-2
DE.CM-6

Baselines:

(Not part of any baseline)

Control is new to this version of the control set.

Control Statement

Include organizational data ownership requirements in the acquisition contract; and
Require all data to be removed from the contractor’s system and returned to the organization within [Assignment: organization-defined time frame].

Supplemental Guidance

Contractors who operate a system that contains data owned by an organization initiating the contract have policies and procedures in place to remove the data from their systems and/or return the data in a time frame defined by the contract.