SA-4: Acquisition Process

NIST Baseline: Low 

Privacy Baseline:  Yes 

DIR Required By:  07/20/2023 

TAMUS Required By:  08/01/2022 

Review Date:  08/08/2024 

  • Information resource owners or their designees, in conjunction with Texas A&M University System (TAMUS) and/or Tarleton State University (Tarleton) Procurements and Contracting personnel, must include information security requirements in all information resource acquisition contracts based on an assessment of risk and in accordance with applicable laws including Texas Administrative Code (TAC) §202.77 and TAMUS Policies and Regulations including Policy 25.07, Contract Administration; Regulation 25.07.01, Contract Administration, Delegations and Reporting; and Regulation 25.07.03, Acquisition of Goods and/or Services. Such contract language, explicitly or by reference, within the TAMUS/Tarleton standardized contract language should include: 
    • Security and privacy functional requirements;  
    • Strength of mechanism requirements;  
    • Security and privacy assurance requirements;  
    • Controls needed to satisfy the security and privacy requirements.  
    • Security and privacy documentation requirements;  
    • Requirements for protecting security and privacy documentation;  
    • Description of the system development environment and environment in which the system is intended to operate;  
    • Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and  
    • Acceptance criteria. 
  • Information resource owners, or their designees, should ensure that appropriate documentation is provided by the vendor periodically to Tarleton showing evidence that the vendor meets the security controls required under the contract, at least during initial procurement, when any major changes occur to the service/software provided, and during contract renewals.  
  • The Tarleton Chief Information Security Officer (CISO), in coordination with applicable TAMUS and/or Tarleton Procurements and Contracting personnel, shall: 
    • Review and approve the security requirements in acquisition contracts of any new information system that processes and/or stores sensitive or high-impact information prior to the member procuring the system or service, and 
    • Ensure acquisition contracts for information systems, system components, or information system services address information security, backup, and privacy requirements. 
      • Such contracts should include right-to-audit and other provisions to provide appropriate assurance that applications and information are adequately protected. 
      • Vendors and third parties adhere to all federal, state, TAMUS, and Tarleton policies pertaining to the protection of information resources and privacy of sensitive information. 
  • TAC §202.77 requires compliance with the Texas Risk and Authorization Management Program (TX-RAMP) for new and renewed contracts for cloud computing services.  See the Texas Department of Information Resources guidance for additional information. 

References/Additional Resources

PRIVACT 

OMB A-130 

ISO 15408-1 

ISO 15408-2 

ISO 15408-3 

ISO 29148 

FIPS 140-3 

FIPS 201-2 

SP 800-35 

SP 800-37 

SP 800-70 

SP 800-73-4 

SP 800-137 

SP 800-160-1 

SP 800-161 

IR 7539 

IR 7622 

IR 7676 

IR 7870 

IR 8062 

NIAP CCEVS 

NSA CSFC 

Tex. Govt. Code Sec. 2054.138 

1 TAC 202.27 

1 TAC 202.77 

TAMUS Policy 25.07 

TAMUS Regulation 25.07.01 

TAMUS Regulation 25.07.03