SPARC

System and Services Acquisition

Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations | Controls: 194

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

SA-1

System and Services Acquisition Policy and Procedures 3 params

The organization: a. Develops, documents, and disseminates to {{ insert: param, sa-1_prm_1 }}: 1. A system and services acquisition policy that addresses purpose, scope, roles, responsibiliti...

► View parameters

Param ID	Label	Constraint / Choices
sa-1_prm_1	organization-defined personnel or roles	Organization-defined
sa-1_prm_2	organization-defined frequency	Organization-defined
sa-1_prm_3	organization-defined frequency	Organization-defined

—

SA-2

Allocation of Resources

The organization: a. Determines information security requirements for the information system or information system service in mission/business process planning; b. Determines, documents, and al...

—

SA-3

System Development Life Cycle 1 param

The organization: a. Manages the information system using {{ insert: param, sa-3_prm_1 }} that incorporates information security considerations; b. Defines and documents information security ro...

► View parameters

Param ID	Label	Constraint / Choices
sa-3_prm_1	organization-defined system development life cycle	Organization-defined

—

SA-4

Acquisition Process 2 params

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or informatio...

► View parameters

Param ID	Label	Constraint / Choices
sa-04_odp.01		Select one-or-more: standardized contract language; {{ insert: param, sa-04_odp.02 }}
sa-04_odp.02	contract language	contract language is defined (if selected);

—

SA-4(1)

Functional Properties of Security Controls

The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to ...

—

SA-4(2)

Design / Implementation Information for Security Controls 3 params

The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be e...

► View parameters

Param ID	Label	Constraint / Choices
sa-4.2_prm_1		Select one-or-more: security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; {{ insert: param, sa-4.2_prm_2 }}
sa-4.2_prm_2	organization-defined design/implementation information	Organization-defined
sa-4.2_prm_3	organization-defined level of detail	Organization-defined

—

SA-4(3)

Development Methods / Techniques / Practices 1 param

The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes {{ insert:...

► View parameters

Param ID	Label	Constraint / Choices
sa-4.3_prm_1	organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes	Organization-defined

—

SA-4(4)

Assignment of Components to Systems

—

SA-4(5)

System / Component / Service Configurations 1 param

The organization requires the developer of the information system, system component, or information system service to: (a) Deliver the system, component, or service with {{ insert: param, sa-4.5_...

► View parameters

Param ID	Label	Constraint / Choices
sa-4.5_prm_1	organization-defined security configurations	Organization-defined

—

SA-4(6)

Use of Information Assurance Products

The organization: (a) Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA...

—

SA-4(7)

Niap-approved Protection Profiles

The organization: (a) Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated aga...

—

SA-4(8)

Continuous Monitoring Plan 1 param

The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness ...

► View parameters

Param ID	Label	Constraint / Choices
sa-4.8_prm_1	organization-defined level of detail	Organization-defined

—

SA-4(9)

Functions / Ports / Protocols / Services in Use

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, prot...

—

SA-4(10)

Use of Approved PIV Products

The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational informatio...

—

SA-5

Information System Documentation 2 params

The organization: a. Obtains administrator documentation for the information system, system component, or information system service that describes: 1. Secure configuration, installation, and...

► View parameters

Param ID	Label	Constraint / Choices
sa-5_prm_1	organization-defined actions	Organization-defined
sa-5_prm_2	organization-defined personnel or roles	Organization-defined

—

SA-5(1)

Functional Properties of Security Controls

—

SA-5(2)

Security-relevant External System Interfaces

—

SA-5(3)

High-level Design

—

SA-5(4)

Low-level Design

—

SA-5(5)

Source Code

—

SA-6

Software Usage Restrictions

—

SA-7

User-installed Software

—

SA-8

Security Engineering Principles 3 params

The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

► View parameters

Param ID	Label	Constraint / Choices
sa-8_prm_1	organization-defined systems security and privacy engineering principles	Organization-defined
sa-08_odp.01	systems security engineering principles	systems security engineering principles are defined;
sa-08_odp.02	privacy engineering principles	privacy engineering principles are defined;

—

SA-9

External Information System Services 2 params

The organization: a. Requires that providers of external information system services comply with organizational information security requirements and employ {{ insert: param, sa-9_prm_1 }} in acc...

► View parameters

Param ID	Label	Constraint / Choices
sa-9_prm_1	organization-defined security controls	Organization-defined
sa-9_prm_2	organization-defined processes, methods, and techniques	Organization-defined

—

SA-9(1)

Risk Assessments / Organizational Approvals 1 param

The organization: (a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (b) Ensures that the acquisition or o...

► View parameters

Param ID	Label	Constraint / Choices
sa-9.1_prm_1	organization-defined personnel or roles	Organization-defined

—

SA-9(2)

Identification of Functions / Ports / Protocols / Services 1 param

The organization requires providers of {{ insert: param, sa-9.2_prm_1 }} to identify the functions, ports, protocols, and other services required for the use of such services.

► View parameters

Param ID	Label	Constraint / Choices
sa-9.2_prm_1	organization-defined external information system services	Organization-defined

—

SA-9(3)

Establish / Maintain Trust Relationship with Providers 1 param

The organization establishes, documents, and maintains trust relationships with external service providers based on {{ insert: param, sa-9.3_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-9.3_prm_1	organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships	Organization-defined

—

SA-9(4)

Consistent Interests of Consumers and Providers 2 params

The organization employs {{ insert: param, sa-9.4_prm_1 }} to ensure that the interests of {{ insert: param, sa-9.4_prm_2 }} are consistent with and reflect organizational interests.

► View parameters

Param ID	Label	Constraint / Choices
sa-9.4_prm_1	organization-defined security safeguards	Organization-defined
sa-9.4_prm_2	organization-defined external service providers	Organization-defined

—

SA-9(5)

Processing, Storage, and Service Location 3 params

The organization restricts the location of {{ insert: param, sa-9.5_prm_1 }} to {{ insert: param, sa-9.5_prm_2 }} based on {{ insert: param, sa-9.5_prm_3 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-9.5_prm_1		Select one-or-more: information processing; information/data; information system services
sa-9.5_prm_2	organization-defined locations	Organization-defined
sa-9.5_prm_3	organization-defined requirements or conditions	Organization-defined

—

SA-10

Developer Configuration Management 3 params

The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service {{ ...

► View parameters

Param ID	Label	Constraint / Choices
sa-10_prm_1		Select one-or-more: design; development; implementation; operation
sa-10_prm_2	organization-defined configuration items under configuration management	Organization-defined
sa-10_prm_3	organization-defined personnel	Organization-defined

—

SA-10(1)

Software / Firmware Integrity Verification

The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.

—

SA-10(2)

Alternative Configuration Management Processes

The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.

—

SA-10(3)

Hardware Integrity Verification

The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components.

—

SA-10(4)

Trusted Generation

The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardwa...

—

SA-10(5)

Mapping Integrity for Version Control

The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware d...

—

SA-10(6)

Trusted Distribution

The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and ...

—

└ sa-10a

Perform configuration management during system, component, or service {{ insert: param, sa-10_prm_1 }};

—

└ sa-10b

Document, manage, and control the integrity of changes to {{ insert: param, sa-10_prm_2 }};

—

└ sa-10c

Implement only organization-approved changes to the system, component, or service;

—

└ sa-10d

Document approved changes to the system, component, or service and the potential security impacts of such changes; and

—

└ sa-10e

Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_prm_3 }}.

—

SA-11

Developer Security Testing and Evaluation 2 params

The organization requires the developer of the information system, system component, or information system service to: a. Create and implement a security assessment plan; b. Perform {{ insert: ...

► View parameters

Param ID	Label	Constraint / Choices
sa-11_prm_1		Select one-or-more: unit; integration; system; regression
sa-11_prm_2	organization-defined depth and coverage	Organization-defined

—

SA-11(1)

Static Code Analysis

The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the res...

—

SA-11(2)

Threat and Vulnerability Analyses

The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of ...

—

SA-11(3)

Independent Verification of Assessment Plans / Evidence 1 param

The organization: (a) Requires an independent agent satisfying {{ insert: param, sa-11.3_prm_1 }} to verify the correct implementation of the developer security assessment plan and the evidence p...

► View parameters

Param ID	Label	Constraint / Choices
sa-11.3_prm_1	organization-defined independence criteria	Organization-defined

—

SA-11(4)

Manual Code Reviews 2 params

The organization requires the developer of the information system, system component, or information system service to perform a manual code review of {{ insert: param, sa-11.4_prm_1 }} using {{ ins...

► View parameters

Param ID	Label	Constraint / Choices
sa-11.4_prm_1	organization-defined specific code	Organization-defined
sa-11.4_prm_2	organization-defined processes, procedures, and/or techniques	Organization-defined

—

SA-11(5)

Penetration Testing 2 params

The organization requires the developer of the information system, system component, or information system service to perform penetration testing at {{ insert: param, sa-11.5_prm_1 }} and with {{ i...

► View parameters

Param ID	Label	Constraint / Choices
sa-11.5_prm_1	organization-defined breadth/depth	Organization-defined
sa-11.5_prm_2	organization-defined constraints	Organization-defined

—

SA-11(6)

Attack Surface Reviews

The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.

—

SA-11(7)

Verify Scope of Testing / Evaluation 1 param

The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage...

► View parameters

Param ID	Label	Constraint / Choices
sa-11.7_prm_1	organization-defined depth of testing/evaluation	Organization-defined

—

SA-11(8)

Dynamic Code Analysis

The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the re...

—

└ sa-11.3.(a)

Requires an independent agent satisfying {{ insert: param, sa-11.3_prm_1 }} to verify the correct implementation of the developer security assessme...

—

└ sa-11.3.(b)

Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to ...

—

└ sa-11a

Create and implement a security assessment plan;

—

└ sa-11b

Perform {{ insert: param, sa-11_prm_1 }} testing/evaluation at {{ insert: param, sa-11_prm_2 }};

—

└ sa-11c

Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;

—

└ sa-11d

Implement a verifiable flaw remediation process; and

—

└ sa-11e

Correct flaws identified during security testing/evaluation.

—

SA-12

Supply Chain Protection 1 param

The organization protects against supply chain threats to the information system, system component, or information system service by employing {{ insert: param, sa-12_prm_1 }} as part of a comprehe...

► View parameters

Param ID	Label	Constraint / Choices
sa-12_prm_1	organization-defined security safeguards	Organization-defined

—

SA-12(1)

Acquisition Strategies / Tools / Methods 1 param

The organization employs {{ insert: param, sa-12.1_prm_1 }} for the purchase of the information system, system component, or information system service from suppliers.

► View parameters

Param ID	Label	Constraint / Choices
sa-12.1_prm_1	organization-defined tailored acquisition strategies, contract tools, and procurement methods	Organization-defined

—

SA-12(2)

Supplier Reviews

The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.

—

SA-12(3)

Trusted Shipping and Warehousing

—

SA-12(4)

Diversity of Suppliers

—

SA-12(5)

Limitation of Harm 1 param

The organization employs {{ insert: param, sa-12.5_prm_1 }} to limit harm from potential adversaries identifying and targeting the organizational supply chain.

► View parameters

Param ID	Label	Constraint / Choices
sa-12.5_prm_1	organization-defined security safeguards	Organization-defined

—

SA-12(6)

Minimizing Procurement Time

—

SA-12(7)

Assessments Prior to Selection / Acceptance / Update

The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.

—

SA-12(8)

Use of All-source Intelligence

The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service.

—

SA-12(9)

Operations Security 1 param

The organization employs {{ insert: param, sa-12.9_prm_1 }} in accordance with classification guides to protect supply chain-related information for the information system, system component, or inf...

► View parameters

Param ID	Label	Constraint / Choices
sa-12.9_prm_1	organization-defined Operations Security (OPSEC) safeguards	Organization-defined

—

SA-12(10)

Validate as Genuine and Not Altered 1 param

The organization employs {{ insert: param, sa-12.10_prm_1 }} to validate that the information system or system component received is genuine and has not been altered.

► View parameters

Param ID	Label	Constraint / Choices
sa-12.10_prm_1	organization-defined security safeguards	Organization-defined

—

SA-12(11)

Penetration Testing / Analysis of Elements, Processes, and Actors 2 params

The organization employs {{ insert: param, sa-12.11_prm_1 }} of {{ insert: param, sa-12.11_prm_2 }} associated with the information system, system component, or information system service.

► View parameters

Param ID	Label	Constraint / Choices
sa-12.11_prm_1		Select one-or-more: organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing
sa-12.11_prm_2	organization-defined supply chain elements, processes, and actors	Organization-defined

—

SA-12(12)

Inter-organizational Agreements

The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service.

—

SA-12(13)

Critical Information System Components 2 params

The organization employs {{ insert: param, sa-12.13_prm_1 }} to ensure an adequate supply of {{ insert: param, sa-12.13_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-12.13_prm_1	organization-defined security safeguards	Organization-defined
sa-12.13_prm_2	organization-defined critical information system components	Organization-defined

—

SA-12(14)

Identity and Traceability 1 param

The organization establishes and retains unique identification of {{ insert: param, sa-12.14_prm_1 }} for the information system, system component, or information system service.

► View parameters

Param ID	Label	Constraint / Choices
sa-12.14_prm_1	organization-defined supply chain elements, processes, and actors	Organization-defined

—

SA-12(15)

Processes to Address Weaknesses or Deficiencies

The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.

—

SA-13

Trustworthiness 2 params

The organization: a. Describes the trustworthiness required in the {{ insert: param, sa-13_prm_1 }} supporting its critical missions/business functions; and b. Implements {{ insert: param, sa-1...

► View parameters

Param ID	Label	Constraint / Choices
sa-13_prm_1	organization-defined information system, information system component, or information system service	Organization-defined
sa-13_prm_2	organization-defined assurance overlay	Organization-defined

—

└ sa-13a

Describes the trustworthiness required in the {{ insert: param, sa-13_prm_1 }} supporting its critical missions/business functions; and

—

└ sa-13b

Implements {{ insert: param, sa-13_prm_2 }} to achieve such trustworthiness.

—

SA-14

Criticality Analysis 2 params

The organization identifies critical information system components and functions by performing a criticality analysis for {{ insert: param, sa-14_prm_1 }} at {{ insert: param, sa-14_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-14_prm_1	organization-defined information systems, information system components, or information system services	Organization-defined
sa-14_prm_2	organization-defined decision points in the system development life cycle	Organization-defined

—

SA-14(1)

Critical Components with No Viable Alternative Sourcing

—

SA-15

Development Process, Standards, and Tools 2 params

The organization: a. Requires the developer of the information system, system component, or information system service to follow a documented development process that: 1. Explicitly addresses...

► View parameters

Param ID	Label	Constraint / Choices
sa-15_prm_1	organization-defined frequency	Organization-defined
sa-15_prm_2	organization-defined security requirements	Organization-defined

—

SA-15(1)

Quality Metrics 3 params

The organization requires the developer of the information system, system component, or information system service to: (a) Define quality metrics at the beginning of the development process; and ...

► View parameters

Param ID	Label	Constraint / Choices
sa-15.1_prm_1		Select one-or-more: {{ insert: param, sa-15.1_prm_2 }} ; {{ insert: param, sa-15.1_prm_3 }} ; upon delivery
sa-15.1_prm_2	organization-defined frequency	Organization-defined
sa-15.1_prm_3	organization-defined program review milestones	Organization-defined

—

SA-15(2)

Security Tracking Tools

The organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process.

—

SA-15(3)

Criticality Analysis 2 params

The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at {{ insert: param, sa-15.3_prm_1 }} and at {{ ...

► View parameters

Param ID	Label	Constraint / Choices
sa-15.3_prm_1	organization-defined breadth/depth	Organization-defined
sa-15.3_prm_2	organization-defined decision points in the system development life cycle	Organization-defined

—

SA-15(4)

Threat Modeling / Vulnerability Analysis 4 params

The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at {{ insert: param, sa-15.4_prm_1 }} that: (a) Uses {{ insert: param, sa...

► View parameters

Param ID	Label	Constraint / Choices
sa-15.4_prm_1	organization-defined breadth/depth	Organization-defined
sa-15.4_prm_2	organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels	Organization-defined
sa-15.4_prm_3	organization-defined tools and methods	Organization-defined
sa-15.4_prm_4	organization-defined acceptance criteria	Organization-defined

—

SA-15(5)

Attack Surface Reduction 1 param

The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to {{ insert: param, sa-15.5_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-15.5_prm_1	organization-defined thresholds	Organization-defined

—

SA-15(6)

Continuous Improvement

The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process.

—

SA-15(7)

Automated Vulnerability Analysis 2 params

The organization requires the developer of the information system, system component, or information system service to: (a) Perform an automated vulnerability analysis using {{ insert: param, sa-1...

► View parameters

Param ID	Label	Constraint / Choices
sa-15.7_prm_1	organization-defined tools	Organization-defined
sa-15.7_prm_2	organization-defined personnel or roles	Organization-defined

—

SA-15(8)

Reuse of Threat / Vulnerability Information

The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components...

—

SA-15(9)

Use of Live Data

The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service.

—

SA-15(10)

Incident Response Plan

The organization requires the developer of the information system, system component, or information system service to provide an incident response plan.

—

SA-15(11)

Archive Information System / Component

The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence support...

—

└ sa-15.1.(a)

Define quality metrics at the beginning of the development process; and

—

└ sa-15.1.(b)

Provide evidence of meeting the quality metrics {{ insert: param, sa-15.1_prm_1 }}.

—

└ sa-15.4.(a)

Uses {{ insert: param, sa-15.4_prm_2 }};

—

└ sa-15.4.(b)

Employs {{ insert: param, sa-15.4_prm_3 }}; and

—

└ sa-15.4.(c)

Produces evidence that meets {{ insert: param, sa-15.4_prm_4 }}.

—

└ sa-15.7.(a)

Perform an automated vulnerability analysis using {{ insert: param, sa-15.7_prm_1 }};

—

└ sa-15.7.(b)

Determine the exploitation potential for discovered vulnerabilities;

—

└ sa-15.7.(c)

Determine potential risk mitigations for delivered vulnerabilities; and

—

└ sa-15.7.(d)

Deliver the outputs of the tools and results of the analysis to {{ insert: param, sa-15.7_prm_2 }}.

—

└ sa-15a

Requires the developer of the information system, system component, or information system service to follow a documented development process that:

—

└ sa-15a.1

Explicitly addresses security requirements;

—

└ sa-15a.2

Identifies the standards and tools used in the development process;

—

└ sa-15a.3

Documents the specific tool options and tool configurations used in the development process; and

—

└ sa-15a.4

Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and

—

└ sa-15b

Reviews the development process, standards, tools, and tool options/configurations {{ insert: param, sa-15_prm_1 }} to determine if the process, st...

—

SA-16

Developer-provided Training 1 param

The organization requires the developer of the information system, system component, or information system service to provide {{ insert: param, sa-16_prm_1 }} on the correct use and operation of th...

► View parameters

Param ID	Label	Constraint / Choices
sa-16_prm_1	organization-defined training	Organization-defined

—

SA-17

Developer Security Architecture and Design

The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: a. Is consiste...

—

SA-17(1)

Formal Policy Model 1 param

The organization requires the developer of the information system, system component, or information system service to: (a) Produce, as an integral part of the development process, a formal policy...

► View parameters

Param ID	Label	Constraint / Choices
sa-17.1_prm_1	organization-defined elements of organizational security policy	Organization-defined

—

SA-17(2)

Security-relevant Components

The organization requires the developer of the information system, system component, or information system service to: (a) Define security-relevant hardware, software, and firmware; and (b) Pro...

—

SA-17(3)

Formal Correspondence

The organization requires the developer of the information system, system component, or information system service to: (a) Produce, as an integral part of the development process, a formal top-le...

—

SA-17(4)

Informal Correspondence 1 param

The organization requires the developer of the information system, system component, or information system service to: (a) Produce, as an integral part of the development process, an informal des...

► View parameters

Param ID	Label	Constraint / Choices
sa-17.4_prm_1		Select one: informal demonstration, convincing argument with formal methods as feasible

—

SA-17(5)

Conceptually Simple Design

The organization requires the developer of the information system, system component, or information system service to: (a) Design and structure the security-relevant hardware, software, and firmw...

—

SA-17(6)

Structure for Testing

The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate test...

—

SA-17(7)

Structure for Least Privilege

—

└ sa-17.1.(a)

Produce, as an integral part of the development process, a formal policy model describing the {{ insert: param, sa-17.1_prm_1 }} to be enforced; and

—

└ sa-17.1.(b)

Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy wh...

—

└ sa-17.2.(a)

Define security-relevant hardware, software, and firmware; and

—

└ sa-17.2.(b)

Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.

—

└ sa-17.3.(a)

Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardwa...

—

└ sa-17.3.(b)

Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent wi...

—

└ sa-17.3.(c)

Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, ...

—

└ sa-17.3.(d)

Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and

—

└ sa-17.3.(e)

Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly interna...

—

└ sa-17.4.(a)

Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-...

—

└ sa-17.4.(b)

Show via {{ insert: param, sa-17.4_prm_1 }} that the descriptive top-level specification is consistent with the formal policy model;

—

└ sa-17.4.(c)

Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, softw...

—

└ sa-17.4.(d)

Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmwar...

—

└ sa-17.4.(e)

Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly in...

—

└ sa-17.5.(a)

Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precis...

—

└ sa-17.5.(b)

Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.

—

└ sa-17a

Is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organiza...

—

└ sa-17b

Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical compone...

—

└ sa-17c

Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approac...

—

SA-18

Tamper Resistance and Detection

The organization implements a tamper protection program for the information system, system component, or information system service.

—

SA-18(1)

Multiple Phases of SDLC

The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance.

—

SA-18(2)

Inspection of Information Systems, Components, or Devices 4 params

The organization inspects {{ insert: param, sa-18.2_prm_1 }} {{ insert: param, sa-18.2_prm_2 }} to detect tampering.

► View parameters

Param ID	Label	Constraint / Choices
sa-18.2_prm_1	organization-defined information systems, system components, or devices	Organization-defined
sa-18.2_prm_2		Select one-or-more: at random; at {{ insert: param, sa-18.2_prm_3 }}, upon {{ insert: param, sa-18.2_prm_4 }}
sa-18.2_prm_3	organization-defined frequency	Organization-defined
sa-18.2_prm_4	organization-defined indications of need for inspection	Organization-defined

—

SA-19

Component Authenticity 3 params

The organization: a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and ...

► View parameters

Param ID	Label	Constraint / Choices
sa-19_prm_1		Select one-or-more: source of counterfeit component; {{ insert: param, sa-19_prm_2 }} ; {{ insert: param, sa-19_prm_3 }}
sa-19_prm_2	organization-defined external reporting organizations	Organization-defined
sa-19_prm_3	organization-defined personnel or roles	Organization-defined

—

SA-19(1)

Anti-counterfeit Training 1 param

The organization trains {{ insert: param, sa-19.1_prm_1 }} to detect counterfeit information system components (including hardware, software, and firmware).

► View parameters

Param ID	Label	Constraint / Choices
sa-19.1_prm_1	organization-defined personnel or roles	Organization-defined

—

SA-19(2)

Configuration Control for Component Service / Repair 1 param

The organization maintains configuration control over {{ insert: param, sa-19.2_prm_1 }} awaiting service/repair and serviced/repaired components awaiting return to service.

► View parameters

Param ID	Label	Constraint / Choices
sa-19.2_prm_1	organization-defined information system components	Organization-defined

—

SA-19(3)

Component Disposal 1 param

The organization disposes of information system components using {{ insert: param, sa-19.3_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-19.3_prm_1	organization-defined techniques and methods	Organization-defined

—

SA-19(4)

Anti-counterfeit Scanning 1 param

The organization scans for counterfeit information system components {{ insert: param, sa-19.4_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-19.4_prm_1	organization-defined frequency	Organization-defined

—

└ sa-19a

Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering th...

—

└ sa-19b

Reports counterfeit information system components to {{ insert: param, sa-19_prm_1 }}.

—

└ sa-1a

Develops, documents, and disseminates to {{ insert: param, sa-1_prm_1 }}:

—

└ sa-1a.1

A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organiza...

—

└ sa-1a.2

Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and

—

└ sa-1b

Reviews and updates the current:

—

└ sa-1b.1

System and services acquisition policy {{ insert: param, sa-1_prm_2 }}; and

—

└ sa-1b.2

System and services acquisition procedures {{ insert: param, sa-1_prm_3 }}.

—

SA-20

Customized Development of Critical Components 1 param

The organization re-implements or custom develops {{ insert: param, sa-20_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-20_prm_1	organization-defined critical information system components	Organization-defined

—

SA-21

Developer Screening 3 params

The organization requires that the developer of {{ insert: param, sa-21_prm_1 }}: a. Have appropriate access authorizations as determined by assigned {{ insert: param, sa-21_prm_2 }}; and b. Sa...

► View parameters

Param ID	Label	Constraint / Choices
sa-21_prm_1	organization-defined information system, system component, or information system service	Organization-defined
sa-21_prm_2	organization-defined official government duties	Organization-defined
sa-21_prm_3	organization-defined additional personnel screening criteria	Organization-defined

—

SA-21(1)

Validation of Screening 1 param

The organization requires the developer of the information system, system component, or information system service take {{ insert: param, sa-21.1_prm_1 }} to ensure that the required access authori...

► View parameters

Param ID	Label	Constraint / Choices
sa-21.1_prm_1	organization-defined actions	Organization-defined

—

└ sa-21a

Have appropriate access authorizations as determined by assigned {{ insert: param, sa-21_prm_2 }}; and

—

└ sa-21b

Satisfy {{ insert: param, sa-21_prm_3 }}.

—

SA-22

Unsupported System Components 2 params

The organization: a. Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and b. Provides justification and...

► View parameters

Param ID	Label	Constraint / Choices
sa-22_odp.01		Select one-or-more: in-house support; {{ insert: param, sa-22_odp.02 }}
sa-22_odp.02	support from external providers	support from external providers is defined (if selected);

—

SA-22(1)

Alternative Sources for Continued Support 2 params

The organization provides {{ insert: param, sa-22.1_prm_1 }} for unsupported information system components.

► View parameters

Param ID	Label	Constraint / Choices
sa-22.1_prm_1		Select one-or-more: in-house support; {{ insert: param, sa-22.1_prm_2 }}
sa-22.1_prm_2	organization-defined support from external providers	Organization-defined

—

└ sa-22a

Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and

—

└ sa-22b

Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.

—

└ sa-2a

Determines information security requirements for the information system or information system service in mission/business process planning;

—

└ sa-2b

Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital ...

—

└ sa-2c

Establishes a discrete line item for information security in organizational programming and budgeting documentation.

—

└ sa-3a

Manages the information system using {{ insert: param, sa-3_prm_1 }} that incorporates information security considerations;

—

└ sa-3b

Defines and documents information security roles and responsibilities throughout the system development life cycle;

—

└ sa-3c

Identifies individuals having information security roles and responsibilities; and

—

└ sa-3d

Integrates the organizational information security risk management process into system development life cycle activities.

—

└ sa-4.5.(a)

Deliver the system, component, or service with {{ insert: param, sa-4.5_prm_1 }} implemented; and

—

└ sa-4.5.(b)

Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

—

└ sa-4.6.(a)

Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology pr...

—

└ sa-4.6.(b)

Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.

—

└ sa-4.7.(a)

Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been ...

—

└ sa-4.7.(b)

Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product r...

—

└ sa-4a

Security functional requirements;

—

└ sa-4b

Security strength requirements;

—

└ sa-4c

Security assurance requirements;

—

└ sa-4d

Security-related documentation requirements;

—

└ sa-4e

Requirements for protecting security-related documentation;

—

└ sa-4f

Description of the information system development environment and environment in which the system is intended to operate; and

—

└ sa-4g

Acceptance criteria.

—

└ sa-5a

Obtains administrator documentation for the information system, system component, or information system service that describes:

—

└ sa-5a.1

Secure configuration, installation, and operation of the system, component, or service;

—

└ sa-5a.2

Effective use and maintenance of security functions/mechanisms; and

—

└ sa-5a.3

Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

—

└ sa-5b

Obtains user documentation for the information system, system component, or information system service that describes:

—

└ sa-5b.1

User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;

—

└ sa-5b.2

Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and

—

└ sa-5b.3

User responsibilities in maintaining the security of the system, component, or service;

—

└ sa-5c

Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either un...

—

└ sa-5d

Protects documentation as required, in accordance with the risk management strategy; and

—

└ sa-5e

Distributes documentation to {{ insert: param, sa-5_prm_2 }}.

—

└ sa-9.1.(a)

Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and

—

└ sa-9.1.(b)

Ensures that the acquisition or outsourcing of dedicated information security services is approved by {{ insert: param, sa-9.1_prm_1 }}.

—

└ sa-9a

Requires that providers of external information system services comply with organizational information security requirements and employ {{ insert: ...

—

└ sa-9b

Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and

—

└ sa-9c

Employs {{ insert: param, sa-9_prm_2 }} to monitor security control compliance by external service providers on an ongoing basis.

—