SA-4 Acquisition Process

Description

Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system.

Information system components include commercial information technology products.

Security functional requirements include security capabilities, security functions, and security mechanisms.

Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass.

Security assurance requirements include:

1. development processes, procedures, practices, and methodologies; and
2. evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved.

Security documentation requirements address all phases of the system development life cycle.

Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process.

The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information.

Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy).

Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services.

Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement.

The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA.

Applicability

This Control applies to any university personnel who currently have, or will have, a vendor, third party or cloud computing service provider agreement or contract.

The procedures in this Control shall be applied to new contracts or agreements, renewal of existing contracts or agreements, and amendments to existing contracts or agreements. Information resources contracts must include all terms required in this Control.

Implementation

TAMU-CC includes the following security requirements and/or security specifications, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, executive orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

The Chief Information Security and Privacy Officer (CISPO):

1. Reviews and approves the security requirements in acquisition contracts of any new information system that processes and/or stores sensitive or mission-critical information prior to the member procuring the system or service to validate and ensure:
   1. Security functional requirements;
   2. Security strength requirements;
   3. Security assurance requirements;
   4. Security-related documentation requirements;
   5. Requirements for protecting security-related documentation;
   6. Description of the information system development environment and environment in which the system is intended to operate; and
   7. Acceptance criteria.
2. Ensures acquisition contracts for information systems, system components, or information system services address information security, backup, and privacy requirements:
   1. Such contracts should include right-to-audit and other provisions to provide appropriate assurance that applications and information are adequately protected.
   2. Vendors and third parties adhere to all state and Federal laws and System policies pertaining to the protection of information resources and privacy of sensitive information.

Revision History

Last Updated: February 21, 2025

Previous Versions:

• June 29, 2023
• May 31, 2022
• March 25, 2021
• September 16, 2019