| Control number | Control name | Assessment methods | Notes and guidance documents | SP 800-53A guidance |
| SA-1 | System and services acquisition policy and procedures | Review documentation for organization to determine the acquisition processes, policies, and procedures in place for systems, components, and services in support of system under review. Discuss with System Owner, acquisition staff, operations staff, and Security Officer. | SP 800-12, SP 800-37, rev. 1, SP 800-64, SP 800-100 | Examine: System and services acquisition policy and procedures; other relevant documents or records. Interview: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities. |
Get Security Controls Evaluation, Testing, and Assessment Handbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
