Hop And Haul Policies

Appearance

NIST 800-53 Vendor Risk Management Policy (SA/SR)

Document ID: PLCY-NIST-SA-001
Version: 1.0
Effective Date: December 30, 2025
Last Review: December 30, 2025
Owner: Hop And Haul Team

CONFIDENTIAL

This document is CONFIDENTIAL and for internal use only. Do not distribute outside the organization.

1. Purpose

This document defines Hop And Haul' implementation of the NIST 800-53 System and Services Acquisition (SA) and Supply Chain Risk Management (SR) families for FedRAMP Moderate authorization. It establishes requirements for managing third-party vendor risks, securing the supply chain, and ensuring that external services meet security requirements.

2. Scope

This policy applies to:

  • All third-party vendors providing services to Hop And Haul
  • All external system integrations
  • All software dependencies and libraries
  • All cloud service providers
  • All contractors with system access

3. System and Services Acquisition Policy (SA-1)

3.1 Policy Statement

Hop And Haul implements vendor risk management that:

  • Assesses security posture before vendor engagement
  • Requires contractual security obligations
  • Monitors vendor compliance continuously
  • Manages supply chain risks

3.2 Responsibilities

RoleResponsibilities
Security TeamVendor security assessment, monitoring
LegalContract review, security clauses
ProcurementVendor selection, contract management
Technical TeamsIntegration security, API security

4. Resource Allocation (SA-2)

4.1 Security in Planning

ActivitySecurity Involvement
Vendor selectionSecurity assessment required
Contract negotiationSecurity clauses required
Integration planningSecurity architecture review
Budget planningSecurity tools and assessments funded

4.2 Security Budget Items

ItemPurpose
Vendor assessmentsThird-party security reviews
Security toolsScanning, monitoring
TrainingSecure development, awareness
AuditsCompliance verification

5. System Development Life Cycle (SA-3)

5.1 SDLC Security Integration

PhaseSecurity Activities
RequirementsSecurity requirements defined
DesignThreat modeling, security architecture
DevelopmentSecure coding, SAST
TestingSecurity testing, penetration testing
DeploymentSecurity verification, hardening
MaintenanceVulnerability management, patching

5.2 Security Checkpoints

CheckpointRequirements
Design reviewSecurity architecture approved
Code reviewSecurity review completed
Pre-deploymentSecurity scan passed
Post-deploymentSecurity verification completed

6. Acquisition Process (SA-4)

6.1 Security Requirements in Acquisitions

RequirementApplication
Security questionnaireAll vendors with data access
SOC 2 reportCloud services, data processors
FedRAMP authorizationFederal workloads
Penetration test resultsHigh-risk integrations
Security certificationsAs appropriate

6.2 Vendor Assessment Criteria

CategoryWeightCriteria
Security certifications25%SOC 2, ISO 27001, FedRAMP
Security practices25%Policies, procedures, training
Technical controls25%Encryption, access controls, monitoring
Incident response15%IR plan, breach history, notification
Compliance10%Regulatory compliance, audits

6.3 Assessment Levels

Vendor RiskAssessment Depth
CriticalFull assessment, on-site if needed
HighDetailed questionnaire, evidence review
ModerateStandard questionnaire
LowBasic due diligence

7. System Documentation (SA-5)

7.1 Required Documentation

DocumentContent
System architectureComponents, data flows, integrations
Security architectureControls, boundaries, encryption
API documentationEndpoints, authentication, data formats
Operations runbookProcedures, contacts, escalation
Incident responseVendor-specific procedures

7.2 Documentation Maintenance

ActivityFrequency
Architecture reviewAnnual or on significant change
Security documentationAnnual or on control changes
API documentationWith each API change
Runbook reviewQuarterly

8. Security Engineering Principles (SA-8)

8.1 Design Principles

PrincipleImplementation
Defense in depthMultiple security layers
Least privilegeMinimal necessary access
Separation of dutiesRole-based controls
Fail secureSecure default on failure
Zero trustVerify all access requests

8.2 Architecture Standards

StandardRequirement
API securityOAuth 2.0/OIDC, TLS 1.3
Data protectionEncryption at rest and in transit
Access controlRBAC, tenant isolation
LoggingComprehensive audit trails

9. External System Services (SA-9)

9.1 External Service Requirements

RequirementDescription
Security agreementContractual security obligations
Data handlingData protection, retention, deletion
Access controlsAuthentication, authorization
MonitoringLogging, alerting
Incident notificationBreach notification requirements

9.2 Service Provider Monitoring

ActivityFrequency
SOC 2 report reviewAnnual
Security questionnaireAnnual
Incident reviewAs needed
Access reviewQuarterly

10. Developer Security Testing (SA-11)

10.1 Testing Requirements

Test TypeTimingCoverage
SASTEvery commitAll code
DASTPre-releaseAll endpoints
SCADailyAll dependencies
Penetration testingAnnualFull application

10.2 Vulnerability Standards

SeverityAction Required
CriticalBlock release, immediate fix
HighFix before release
MediumFix within 30 days
LowTrack and remediate

11. Supply Chain Risk Management (SR)

11.1 Supply Chain Security Policy

ControlImplementation
Vendor vettingSecurity assessment before engagement
Component verificationDependency scanning, checksums
Continuous monitoringVendor security updates, breaches
Contingency planningVendor alternatives identified

11.2 Component Provenance

Component TypeVerification
Open sourceLicense review, security scanning
CommercialVendor assessment, contract review
Cloud servicesFedRAMP or equivalent
InfrastructureAWS FedRAMP High

12. Current Vendor Risk Register

12.1 Critical/High Risk Vendors

VendorServiceFedRAMP StatusRisk LevelMitigation
AWSInfrastructureFedRAMP HighLowInherited controls
CloudflareZero Trust, CDN, WAFFedRAMP ModerateLowInherited controls
TwilioVoice/SMS relayFedRAMP ModerateMediumData minimization
SamsaraFleet telematicsNot FedRAMPHighScoped integration

12.2 Vendor-Specific Mitigations

AWS (FedRAMP High)

RiskMitigation
Shared responsibilityClear boundary documentation
Data residencyUS-only regions configured
Access controlIAM policies, MFA required

Cloudflare (FedRAMP Moderate)

RiskMitigation
Traffic inspectionEnd-to-end encryption maintained
ConfigurationZero Trust policies documented
AccessSSO integration, audit logging

Twilio (FedRAMP Moderate)

RiskMitigation
Voice dataNo call recording enabled
Message contentMinimal data in SMS
Integration securityAPI key rotation, least privilege

Samsara (Not FedRAMP)

RiskMitigation
Not FedRAMP authorizedCustomer responsibility for federal workloads
API securityScoped API keys, secrets management
Data exposureRead-only integration, minimal data
Key compromiseAutomatic rotation, anomaly detection

13. API Integration Security

13.1 Integration Security Requirements

RequirementImplementation
AuthenticationAPI keys or OAuth 2.0
EncryptionTLS 1.3 minimum
Rate limitingPer-integration limits
LoggingAll API calls logged
MonitoringAnomaly detection

13.2 API Key Management

ControlImplementation
StorageAWS Secrets Manager
RotationQuarterly (automatic)
ScopeLeast privilege
MonitoringUsage tracking
RevocationImmediate capability

13.3 Samsara Integration Specifics

ControlRequirement
Key storageAWS Secrets Manager
Key scopeRead-only, specific vehicle tags
Envelope encryptionPer-tenant key wrapping
Rate limitingPer-tenant API limits
Anomaly detectionUsage spike alerting
Kill switchAutomatic revocation on anomaly

14. Contract Security Requirements

14.1 Required Contract Clauses

ClausePurpose
Data protectionEncryption, access controls
Breach notificationTimeline, content requirements
Audit rightsRight to assess vendor security
Subprocessor approvalControl over data sharing
Data deletionReturn or destruction requirements
ComplianceRegulatory compliance obligations

14.2 Service Level Agreements

SLARequirement
Availability99.9% or better
Incident response1 hour acknowledgment
Breach notification24-48 hours
Support24/7 for critical issues

15. Vendor Monitoring and Review

15.1 Ongoing Monitoring

ActivityFrequencyOwner
SOC 2 report reviewAnnualSecurity
Security questionnaireAnnualSecurity
FedRAMP status checkQuarterlySecurity
Incident trackingContinuousSecurity
News/breach monitoringContinuousSecurity

15.2 Review Triggers

TriggerAction
Vendor breachImmediate assessment
SOC 2 findingsRisk reassessment
Service degradationPerformance review
Regulatory changeCompliance review
Contract renewalFull reassessment

16. Unsupported Components (SA-22)

16.1 End-of-Life Management

StatusAction
End-of-life announcedPlan migration
6 months to EOLMigration in progress
EOL reachedComponent replaced
Extended supportDocument risk acceptance

16.2 Dependency Management

ActivityFrequency
Dependency auditMonthly
EOL trackingQuarterly
Update planningContinuous
Security patchesPer SLA

17. FedRAMP-Specific Requirements

17.1 FedRAMP Vendor Requirements

RequirementApplication
FedRAMP authorizationRequired for federal data processing
3PAO assessmentIndependent verification
Continuous monitoringOngoing compliance
Significant changeNotification requirements

17.2 Non-FedRAMP Vendor Considerations

For vendors without FedRAMP authorization (e.g., Samsara):

ConsiderationApproach
Federal dataNot processed by non-FedRAMP vendors
Integration scopeMinimal necessary data
Compensating controlsEnhanced monitoring, encryption
DocumentationRisk acceptance documented

18. Related Documents

DocumentRelationship
PLCY-SEC-001Security controls
PLCY-FED-003T4 API Key risk
PLCY-FED-005NIST control mapping

19. Document Control

VersionDateAuthorChanges
1.0December 30, 2025Hop And Haul TeamInitial release

CONFIDENTIAL - Internal Use Only - Hop And Haul Policy Documentation

Hop And Haul Team - Do Not Distribute