NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-4(11)System of Records

Include {{ insert: param, sa-04.11_odp }} in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

When, by contract, an organization provides for the operation of a system of records to accomplish an organizational mission or function, the organization, consistent with its authority, causes the requirements of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) to be applied to the system of records.

Practitioner Notes

When acquiring systems that will maintain records about individuals, require the vendor to support compliance with Privacy Act requirements, including the ability to produce records for individual access requests.

Example 1: In contracts for systems that store PII, include requirements for the vendor to support Privacy Act compliance: the ability to search records by personal identifier, export records in a readable format, and apply retention and disposition schedules. Verify these capabilities during acceptance testing.

Example 2: Require vendor systems to support data subject access requests — the ability to find, export, and delete an individual's records on demand. Test this capability during procurement evaluation by providing test scenarios: 'Show me all records for individual X' and 'Delete all records for individual Y.'

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment