NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-2Allocation of Resources

Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle.

Practitioner Notes

When planning new systems or services, you must allocate specific resources — budget, staff, time — for information security. Security cannot be unfunded and then expected to happen.

Example 1: In your project planning process, require a security budget line item for every IT project. This includes costs for security testing, secure configuration, monitoring tools, and ongoing maintenance. If the project plan has no security budget, it does not get approved.

Example 2: During capital planning, include security resource requirements for each system in your portfolio: FTE hours for security management, license costs for monitoring and scanning tools, and budget for annual assessments and penetration tests. Track these allocations in your investment portfolio alongside the system's operational costs.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment SA-3(2) Use of Live or Operational Data