SA-4.10: Use of Approved PIV Products

Supply chain risk management plan

system and services acquisition policy

procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process

solicitation documentation

acquisition documentation

acquisition contracts for the system, system component, or system service

service level agreements

FIPS 201 approved products list

system security plan

other relevant documents or records

Organizational personnel with acquisition/contracting responsibilities

organizational personnel with the responsibility for determining system security requirements

organizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented

organizational personnel with information security responsibilities

Organizational processes for selecting and employing FIPS 201-approved products