HOME

SA-9 (1)

SA-9 (1) H M
Description

The organization:
(a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
(b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].

DISA Cloud Computing SRG

b. the DoD Component CIO or their delegate(s)

Source:
DoD RMF TAG

Supplemental Guidance

Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services.

Related Controls