System and services acquisition policy
supply chain risk management policy and procedures
procedures addressing external system services
acquisition documentation
acquisition contracts for the system, system component, or system service
risk assessment reports
approval records for the acquisition or outsourcing of dedicated security services
system security plan
supply chain risk management plan
other relevant documents or records