I thought this week it would be fun to use some of my new found knowledge in the workplace.  A client wanted a detailed idea of what should be considered in regards to a new system acquisition through its life.  They offered a few suggestions as to what they considered important - where parts came from, are they safe, how to handle parts acquisition for legacy systems, and so on. The initial answer was apply some selected controls and that would do the trick.  I suggested what needed to be done is pick all the controls based on the system categorization and generate a System Acquisition Policy (SA-1).  I offered up an example of the EPA CP Policy from class. 

This is a quick Visio diagram I used in conjunction with the EPA document to explain the process.