SA-4(12)

Requirement
1. Include organizational data ownership requirements in the acquisition contract; and
2. Require all data to be removed from the contractor’s system and returned to the organization within [Assignment: organization-defined time frame].

Discussion

Contractors who operate a system that contains data owned by an organization initiating the contract have policies and procedures in place to remove the data from their systems and/or return the data in a time frame defined by the contract.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of information security and privacy requirements, descriptions, and criteria into the acquisition process; procedures addressing the disposition of personally identifiable information; solicitation documentation; acquisition documentation; acquisition contracts for the system or system service; personally identifiable information processing policy; service level agreements; information sharing agreements; memoranda of understanding; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with the responsibility for data management and processing requirements; organizational personnel with information security and privacy responsibilities].

Test

[SELECT FROM: Contract management processes to verify that data is removed as required; vendor processes for removing data in required timeframe; mechanisms verifying the removal and return of data].

ID	Assessment Objectives
SA-04(12)(a)	organizational data ownership requirements are included in the acquisition contract;
SA-04(12)(b)	all data to be removed from the contractorís system and returned to the organization is required within <SA-04(12)_ODP time frame>.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!