Include the security functional requirements, explicitly or by reference, using standardized contract language; and/or organization-defined contract language in the acquisition contract for the system, system component, or system service.
No STIG checks reference this CCI.