SA-12(1) — Acquisition Strategies / Tools / Methods

Use acquisition strategies, tools, and methods that reduce supply chain risk. Your purchasing process should include security as a selection criterion, not just price and features.

Example 1: Include security evaluation criteria in your RFP scoring rubric. Award points for vendors with SOC 2 Type II reports, ISO 27001 certification, FedRAMP authorization, or CMMC certification. Make security a weighted factor in vendor selection, not a pass/fail checkbox.

Example 2: Use GSA Schedule contracts or other vetted procurement vehicles when possible. Products available through these channels have already undergone some level of vendor vetting. For custom acquisitions, require vendors to complete a security questionnaire and provide evidence of secure development practices before being considered.