SA-2 - Allocation of Resources
Control requirements
SA-2 (a)
Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning.
SA-2 (b)
Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process.
SA-2 (c)
Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.
NIST supplemental guidance
Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle.