SYSTEM AND SERVICES ACQUISITION - 5315.1

Policy: Each state entity shall determine the information security requirements (confidentiality, integrity, and availability) for its information assets in mission/business process planning; determine, document and allocate the resources required to protect the information assets as part of its capital planning and investment control process; and, establish organizational programming and budgeting documentation.

For all information system acquisitions, the state entity shall identify security functional, strength and assurance requirements; privacy protection requirements; security-related documentation requirements; a description of the information system development and intended operational environments; and acceptance criteria.

Use of alternative technological solutions, such as cloud computing services shall comply with the Technological Alternatives – Cloud Computing Policy (SAM Sections 4983-4983.1), SAM Section 5315.2, and the Cloud Security Standard (SIMM Section 5315-B).

Implementation Controls: NIST SP 800-53: System and Services Acquisition (SA); Personally Identifiable Information Processing and Transparency (PT), FIPS, SIMM 5310-C, and SIMM 5315-B