nerdexam
(ISC)2

CISSP · Question #1406

In which process MUST security be considered during the acquisition of new software?

The correct answer is B. Request for proposal (RFP). Security requirements must be formally defined during the Request for Proposal (RFP) process so vendors can address them before selection or contracting begins.

Submitted by khalil_dz· Mar 5, 2026Software Development Security

Question

In which process MUST security be considered during the acquisition of new software?

Options

  • AContract negotiation
  • BRequest for proposal (RFP)
  • CImplementation
  • DVendor selection

How the community answered

(60 responses)
  • B
    95% (57)
  • C
    2% (1)
  • D
    3% (2)

Why each option

Security requirements must be formally defined during the Request for Proposal (RFP) process so vendors can address them before selection or contracting begins.

AContract negotiation

Contract negotiation occurs after a vendor has already been selected, meaning security requirements that were not defined earlier may be difficult or costly to include at this late stage.

BRequest for proposal (RFP)Correct

The RFP is the earliest formal stage where an organization communicates its technical and security requirements to prospective vendors, ensuring that security controls, compliance standards, and data protection expectations are explicitly stated before any vendor is chosen or contracts are drafted. Embedding security in the RFP ensures that only vendors capable of meeting security requirements are even considered, making it the most effective point to enforce security in the acquisition lifecycle.

CImplementation

Implementation is the phase where software is deployed, which is far too late in the acquisition process to introduce fundamental security requirements that should have been part of vendor evaluation.

DVendor selection

Vendor selection is the evaluation phase that comes after the RFP has already been issued and responses received, so security criteria must exist prior to this step to meaningfully compare vendors.

Concept tested: Security integration in software acquisition RFP process

Source: https://csrc.nist.gov/publications/detail/sp/800-64/rev-2/final

Topics

#software acquisition#RFP#supply chain security#SDLC

Community Discussion

No community discussion yet for this question.

Full CISSP Practice