SA-9.2: Identification of Functions, Ports, Protocols, and Services

System and services acquisition policy

supply chain risk management policy and procedures

procedures addressing external system services

acquisition contracts for the system, system component, or system service

acquisition documentation

solicitation documentation

service level agreements

organizational security requirements and security specifications for external service providers

list of required functions, ports, protocols, and other services

system security plan

other relevant documents or records

Organizational personnel with system and service acquisition responsibilities

organizational personnel with information security responsibilities

system/network administrators

external providers of system services