SYSTEM AND SERVICES ACQUISITION - 5315.1-NOV-2019
Policy: Each state entity shall determine the information securityrequirements (confidentiality, integrity, and availability) for its information assets inmission/business process planning; determine, document and allocate the resources required toprotect the information assets as part of its capital planning and investment controlprocess; and, establish organizational programming and budgetingdocumentation.
For all information system acquisitions, the state entity shall identify securityfunctional, strength and assurance requirements; privacy protection requirements; security-related documentation requirements;a description of the information system development and intendedoperational environments; and acceptancecriteria.
Implementation Controls: NIST SP 800-53: