SA-4(11)

Requirement

Include [Assignment: organization-defined Privacy Act requirements] in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.

Discussion

When, by contract, an organization provides for the operation of a system of records to accomplish an organizational mission or function, the organization, consistent with its authority, causes the requirements of the PRIVACT to be applied to the system of records.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of Privacy Act requirements into systems of records operated by external organizations; solicitation documentation; acquisition documentation; acquisition contracts for the system, system component, or system service; service level agreements; system security plan; privacy plan; personally identifiable information processing policy; privacy program plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities].

Test

[SELECT FROM: Contract management processes to verify Privacy Act requirements are defined for the operation of a system of records; vendor processes for demonstrating incorporation of Privacy Act requirements in its operation of a system of records].

ID	Assessment Objectives
SA-04(11)	<SA-04(11)_ODP Privacy Act requirements> are defined in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!