system and services acquisition

System and services acquisition commonly refers to the structured process an organization uses to plan, procure, validate, and accept systems and services. In industrial and regulated environments, this includes IT systems, OT assets, software platforms such as MES or ERP, cloud services, and vendor-managed solutions.

The focus is on making sure that what is acquired is clearly specified, evaluated, and brought into operation under defined technical, security, quality, and compliance requirements. It typically covers:

• Defining business, technical, security, and regulatory requirements for new systems and services
• Evaluating suppliers and proposed solutions against those requirements
• Including appropriate clauses in contracts for support, updates, data handling, and access control
• Performing security, quality, and interoperability reviews before approval
• Planning deployment, validation, and acceptance testing
• Documenting ownership, responsibilities, and lifecycle expectations

In manufacturing and regulated operations

In manufacturing, system and services acquisition typically applies when organizations select and onboard:

• Industrial control systems, PLCs, HMIs, and associated network components
• Manufacturing IT platforms such as MES, LIMS, QMS, and historian systems
• Cloud or SaaS services used for production scheduling, maintenance, or quality management
• Third-party services such as remote monitoring, managed OT security, or data integration services

Operationally, the acquisition process helps ensure that new systems and services can be integrated with existing OT/IT infrastructure, support required audit trails and data retention, and respect plant safety, cybersecurity, and change control practices.

Relation to security and supply chain controls

In security and control catalogs such as NIST SP 800-53, system and services acquisition is treated as a control family governing how organizations specify, evaluate, and approve systems and services with security and supply chain risk in mind. This includes:

• Requiring security and privacy capabilities in purchased products and services
• Considering software supply chain risks when selecting vendors and components
• Ensuring that contracts and service agreements address access, updates, and incident response
• Requiring documentation needed for audits, traceability, and configuration management

In brownfield manufacturing environments, these practices are often applied when upgrading legacy OT systems, adding remote connectivity, or onboarding new software suppliers that interact with production networks.

Common confusion

• Not the same as general procurement: System and services acquisition is a focused subset of procurement that emphasizes technical, security, lifecycle, and compliance requirements, rather than only price and commercial terms.
• Different from vendor management: Vendor management looks at the broader relationship with a supplier over time. Acquisition focuses on the specific process of defining, selecting, and accepting particular systems or services.