NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-9(1)Risk Assessments and Organizational Approvals

Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and Verify that the acquisition or outsourcing of dedicated information security services is approved by {{ insert: param, sa-09.01_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Information security services include the operation of security devices, such as firewalls or key management services as well as incident monitoring, analysis, and response. Risks assessed can include system, mission or business, security, privacy, or supply chain risks.

Practitioner Notes

Before using an external service, conduct a risk assessment and obtain organizational approval. Someone with authority must accept the risk of depending on an external provider.

Example 1: Before onboarding a new cloud service, complete a vendor risk assessment that evaluates their security certifications (SOC 2, ISO 27001, FedRAMP), data handling practices, incident history, and financial stability. Present the assessment to your CISO or risk management board for formal approval.

Example 2: Create a vendor approval workflow in your procurement system. No purchase order for IT services can be issued without a completed security risk assessment form and sign-off from the security team. Track all approved vendors in a vendor register with their risk rating and next assessment date.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment