CISSP · Question #1406
In which process MUST security be considered during the acquisition of new software?
The correct answer is B. Request for proposal (RFP). Security requirements must be formally defined during the Request for Proposal (RFP) process so vendors can address them before selection or contracting begins.
Question
In which process MUST security be considered during the acquisition of new software?
Options
- AContract negotiation
- BRequest for proposal (RFP)
- CImplementation
- DVendor selection
How the community answered
(60 responses)- B95% (57)
- C2% (1)
- D3% (2)
Why each option
Security requirements must be formally defined during the Request for Proposal (RFP) process so vendors can address them before selection or contracting begins.
Contract negotiation occurs after a vendor has already been selected, meaning security requirements that were not defined earlier may be difficult or costly to include at this late stage.
The RFP is the earliest formal stage where an organization communicates its technical and security requirements to prospective vendors, ensuring that security controls, compliance standards, and data protection expectations are explicitly stated before any vendor is chosen or contracts are drafted. Embedding security in the RFP ensures that only vendors capable of meeting security requirements are even considered, making it the most effective point to enforce security in the acquisition lifecycle.
Implementation is the phase where software is deployed, which is far too late in the acquisition process to introduce fundamental security requirements that should have been part of vendor evaluation.
Vendor selection is the evaluation phase that comes after the RFP has already been issued and responses received, so security criteria must exist prior to this step to meaningfully compare vendors.
Concept tested: Security integration in software acquisition RFP process
Source: https://csrc.nist.gov/publications/detail/sp/800-64/rev-2/final
Topics
Community Discussion
No community discussion yet for this question.