SA-02 Allocation Of Resources
Introduction
This document describes how Private Mendix Platform fulfills the SA-02 control.
| Control ID | SA-02 |
|---|---|
| Control category | SA - System and Services Acquisition |
| Requirement baseline | FEDRAMP MODERATE |
| Responsibility and ownership | Customer - Org |
Control
The organization:
- Determines information security requirements for the information system or information system service in mission and business process planning.
- Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process.
- Establishes a discrete line item for information security in organizational programming and budgeting documentation.
Supplemental Guidance
Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system or service.
The following controls are related to this control:
- PM-3
- PM-11
For more information, refer to the NIST Special Publication 800-65.
Responsibility
Customer Responsibility
The customer is responsible for implementing this control in an appropriate manner in their organization. This includes determining, documenting, and allocating the resources required to protect the Mendix solution as part of capital planning and investment control processes, and establishing discrete line items for information security in organizational programming and budgeting documentation to ensure compliance with federal requirements. The customer must ensure that information security requirements are integrated into mission and business process planning, and that adequate funding is allocated for both initial acquisition and ongoing sustainment of security controls throughout the Mendix solution's lifecycle.
Guidance
Customer Responsibility
This control is governed by NIST SP 800-53 Rev 5 (SA-2) and NIST SP 800-65, which establish requirements for integrating information security into capital planning and investment control processes. Customers operating within a FedRAMP or DoD SRG environment must ensure that information security requirements are determined during mission and business process planning, and that adequate resources are allocated and documented with discrete line items in organizational budgeting to support both initial acquisition and ongoing sustainment of the Mendix solution's security posture.
To meet these requirements, the customer must carry out the following actions:
-
Determine and document information security reequirements.
Establish information security requirements for the Mendix solution during mission and business process planning in accordance with NIST SP 800-65, ensuring requirements address both initial acquisition and long-term sustainment needs. Determine the resources required to protect the Mendix solution as part of the capital planning and investment control process, and document these requirements in organizational planning documentation.
-
Establish discrete security budget line items.
Create and maintain discrete line items for information security in organizational programming and budgeting documentation specific to the Mendix solution, ensuring adequate funding is allocated for security controls, compliance activities, vulnerability management, security monitoring, and ongoing security operations as required by NIST SP 800-65 capital planning guidance.
-
Collect resource requirements from implementation and operations teams.
Establish a formal process to collect input from the Infra Implementer, App Implementer, Infra Operator, and App Operator regarding the resources needed to properly protect the Mendix solution over its lifecycle. Ensure this input informs capital planning decisions, budgeting allocations, and resource distribution to support comprehensive security requirements throughout all phases of the system development lifecycle and ongoing operations.