SA-2: Allocation of Resources

System and services acquisition policy

system and services acquisition procedures

system and services acquisition strategy and plans

procedures addressing the allocation of resources to information security and privacy requirements

procedures addressing capital planning and investment control

organizational programming and budgeting documentation

system security plan

privacy plan

supply chain risk management policy

other relevant documents or records

Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities

organizational personnel with information security and privacy responsibilities

organizational personnel with supply chain risk management responsibilities

Organizational processes for determining information security and privacy requirements

organizational processes for capital planning, programming, and budgeting

mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting