SA-9(1)

Requirement
1. Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and
2. Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].

Discussion

Information security services include the operation of security devices, such as firewalls or key management services as well as incident monitoring, analysis, and response. Risks assessed can include system, mission or business, security, privacy, or supply chain risks.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: System and services acquisition policy; supply chain risk management policy and procedures; procedures addressing external system services; acquisition documentation; acquisition contracts for the system, system component, or system service; risk assessment reports; approval records for the acquisition or outsourcing of dedicated security services; system security plan; supply chain risk management plan; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with system security responsibilities; external providers of system services; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities].

Test

[SELECT FROM: Organizational processes for conducting a risk assessment prior to acquiring or outsourcing dedicated security services; organizational processes for approving the outsourcing of dedicated security services; mechanisms supporting and/or implementing risk assessment; mechanisms supporting and/or implementing approval processes].

ID	Assessment Objectives
SA-09(01)(a)	an organizational assessment of risk is conducted prior to the acquisition or outsourcing of information security services;
SA-09(01)(b)	<SA-09(01)_ODP personnel or roles> approve the acquisition or outsourcing of dedicated information security services.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!