(Revised: 08/2020)

Policy: Each state entity shall determine the information security requirements (confidentiality, integrity, and availability) for its information assets in mission/business process planning; determine, document and allocate the resources required to protect the information assets as part of its capital planning and investment control process; and, establish organizational programming and budgeting documentation.


For all information system acquisitions, the state entity shall identify security functional, strength and assurance requirements; privacy protection requirements; security-related documentation requirements; a description of the information system development and intended operational environments; and acceptance criteria.


Use of alternative technological solutions, such as cloud computing services shall comply with the Technological Alternatives – Cloud Computing Policy (SAM Sections 4983-4983.1), SAM Section 5315.2, and the Cloud Security Standard (SIMM Section 5315-B).



Implementation Controls: NIST SP 800-53: System and Services Acquisition (SA) and Accountability, Audit, and Risk Management (AR); Appendix J – Privacy Control Catalog, FIPS 199, SIMM 5310-C, and SIMM 5315-B

Searchable SAM

Print Entire SAM