Acquisition and procurement — SY0-701
Learn acquisition and procurement security for CompTIA Security+ SY0-701: supply chain risk, security requirements, and the pre-deployment control trap.
WHAT IT IS
Acquisition is the process of obtaining a system, product, or service, encompassing all stages from identifying the need through contract completion and closeout. (NIST SP 800-161r1-upd1; NIST SP 800-160v1r1 via ISO/IEC/IEEE 15288:2015)
Procurement is treated as synonymous with acquisition in NIST standards: it is the same process of obtaining a system, product, or service. (NIST SP 800-160v1r1)
The security dimension of acquisition and procurement is the discipline of embedding information security requirements — requirements derived from laws, directives, policies, standards, and organizational needs to safeguard confidentiality, integrity, and availability — into that obtaining process before a contract is awarded or a product is accepted. (FIPS 200; NIST SP 800-53 Rev. 5)
Mental model
Think of acquisition and procurement security as the gate that never opens twice. Once a vendor is contracted and a product is delivered, retrofitting security controls is costly and often impossible. The acquirer — the organization or entity that acquires or procures a product or service (NIST SP 800-160v1r1) — has its strongest leverage at the moment of selecting and contracting a supplier. After delivery, that leverage is largely gone.
Security requirements must therefore travel upstream: from the acquirer, through every tier of the supply chain — a linked set of resources and processes between multiple tiers of developers extending from sourcing through design, development, manufacturing, and delivery. (NIST SP 800-37 Rev. 2 via OMB Circular A-130)
When to use it
| Scenario | Acquisition / Procurement security | Something else |
|---|---|---|
| Selecting a new SaaS vendor | Embed security requirements in the RFP and contract — this is acquisition security | Running a vulnerability scan of an already-deployed SaaS — that is security operations monitoring |
| Evaluating a hardware component before purchase | Supply chain risk assessment on the component's provenance | Patching a component already in production |
| Negotiating a clause giving the organization the right to audit a vendor | Contractual security control during procurement | Reviewing audit logs after an incident |
| Receiving a software package and verifying it has not been tampered with | Counterfeit and integrity verification at receipt — part of the acquisition lifecycle | Routine change management |
The exam most commonly presents a scenario at the decision point: security action that must happen before the product or service is in use, versus a security action that happens after. Acquisition and procurement security belongs to the "before" side.
COMMON MISCONCEPTION
Candidates often treat acquisition and procurement as a purely business or legal function and assume security begins only after a system is deployed.
The NIST supply chain risk management framework makes clear that identifying susceptibilities, vulnerabilities, and threats throughout the supply chain — and developing mitigation strategies against threats presented by the supplier, the supplied products and their subcomponents, or the supply chain itself — is itself a security discipline, not a procurement formality. (CNSSI 4009-2015, via NIST CSRC glossary entry for supply chain risk management)
A second related trap: candidates conflate the terms "acquisition" and "procurement" and assume they refer to different phases. NIST explicitly treats them as synonyms, both meaning the process of obtaining a system, product, or service. (NIST SP 800-160v1r1)
A third trap: candidates may assume that security requirements are only technical controls placed on the delivered product. In NIST framing, security requirements also apply to the supplier and to the supply chain process — covering developers, manufacturers, systems integrators, vendors, product resellers, and third-party partners. (NIST SP 800-53 Rev. 5 definition of "supplier")
How it shows up on the exam
The cognitive target is application: a question will place candidates inside a scenario where an organization is about to engage a new supplier, accept a new product, or draft a contract, and ask what security action is appropriate.
Signal phrases to watch for:
- "before the contract is signed / before the vendor is selected" — points toward acquisition-phase security controls
- "the supplier" or "a third-party provider" combined with any security concern — points toward supply chain risk management as defined by NIST
- "counterfeit" components — the NIST definition of counterfeit (an unauthorized copy misrepresented to be an authorized item of the legally authorized source, NIST SP 800-53 Rev. 5) places detection in the acquisition lifecycle, not in post-deployment patching
- "security requirements" in a procurement context — candidates should recognize these as requirements derived from laws, directives, and organizational needs to protect confidentiality, integrity, and availability (FIPS 200), not merely functional feature checklists
A common misconception exploited by exam questions is that supply chain risk management begins after delivery. Candidates who hold that belief will tend to select operational or incident-response options when the correct answer is a pre-acquisition control such as vetting supplier security practices or including security terms in the contract.
Related concepts
- Asset Management — acquired assets must be inventoried and tracked; the lifecycle that acquisition starts is what asset management continues.
- Data Sanitization and Destruction — the end-of-life mirror of acquisition; both bound the secure lifecycle of a product or service.
- Secure Baselines — security requirements established during procurement define the baseline a delivered system must meet before it enters production.
Sources
Every claim on this page traces to the public exam blueprint and official documentation: