Overview
Acquisition or outsourcing of IT services explicitly addresses Government, service provider, and end user IA roles and responsibilities.
Threat
IA roles that are not clearly defined and expressed during the acquisition or outsourcing of IT services create a confusing environment where IA responsibility can be easily passed and accountability is nonexistent. By clearly defining and expressing IA roles, organizations ensure IA ownership, accountability, and IA consideration throughout the entire systems lifecycle.
Guidance
During acquisition or outsourcing of IT services, contracts and other documentation identifying roles shall include Government, service provider, and end user IA roles and responsibilities for example: PM, IAM, User Representative, CA, DAA, SIAO, and CIO.
DoD classifies this control in the subject area of “Security Design and Configuration” with a impact of “High”.