Section 4: Acquiring Systems and ServicesAnchor: #i1021471
This section establishes how TxDOT reduces the inherent risks in buying information technology equipment or services. As part of the Security Awareness Policy, this section provides a list of topics to consider. These topics ensure security controls are considered when the purchase is made. These considerations address the “Protect” objective of the Texas CyberSecurity Framework.Anchor: #i1021485
TxDOT follows the National Institute of Standards and Technology (NIST) principles for Information Security System and Services Acquisition. These principles advise agencies to follow industry best practices, plan for purchasing information resources, integrate security activities into the project or program lifecycle, document and understand the security configurations, and follow all applicable laws.Anchor: #i1021581
Individuals who purchase IT products or services must obtain documentation to
- show the chain of supply, including origin, delivery, and support methodologies
- confirm that the vendor’s personnel have each met the terms and conditions of TxDOT pre-employment personnel assessment processes and procedures
- secure confidentiality of TxDOT information
- demonstrate compliance with security controls and requirements.
Compliance and Standards
See the “ Acquiring Systems and Services” standard in the Information Security Standards manual for a list of the minimum standards necessary to comply with this objective of the Security Awareness Policy.