SPARC

System and Services Acquisition

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 262

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

SA-01

Policy and Procedures 9 params

a. Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}: 1. {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that: (a) Addresses purpose, scope,...

► View parameters

Param ID	Label	Constraint / Choices
sa-1_prm_1	organization-defined personnel or roles	Organization-defined
sa-01_odp.01	personnel or roles	personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;
sa-01_odp.02	personnel or roles	personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;
sa-01_odp.03		Select one-or-more: organization-level; mission/business process-level; system-level
sa-01_odp.04	official	an official to manage the system and services acquisition policy and procedures is defined;
sa-01_odp.05	frequency	the frequency at which the current system and services acquisition policy is reviewed and updated is defined;
sa-01_odp.06	events	events that would require the current system and services acquisition policy to be reviewed and updated are defined;
sa-01_odp.07	frequency	the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;
sa-01_odp.08	events	events that would require the system and services acquisition procedures to be reviewed and updated are defined;

—

SA-02

Allocation of Resources

a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; b. Determine, document, and allocate the res...

—

SA-03

System Development Life Cycle 1 param

a. Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations; b. Define and document information security an...

► View parameters

Param ID	Label	Constraint / Choices
sa-03_odp	system-development life cycle	system development life cycle is defined;

—

SA-03(01)

Manage Preproduction Environment

Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service.

—

SA-03(02)

Use of Live or Operational Data

(a) Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and (b) Protect preproduction environments for the sys...

—

SA-03(03)

Technology Refresh

Plan for and implement a technology refresh schedule for the system throughout the system development life cycle.

—

SA-04

Acquisition Process 2 params

Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or ...

► View parameters

Param ID	Label	Constraint / Choices
sa-04_odp.01		Select one-or-more: standardized contract language; {{ insert: param, sa-04_odp.02 }}
sa-04_odp.02	contract language	contract language is defined (if selected);

—

SA-04(01)

Functional Properties of Controls

Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.

—

SA-04(02)

Design and Implementation Information for Controls 3 params

Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ insert: param, sa-04.02_odp.01 }} at {{ ...

► View parameters

Param ID	Label	Constraint / Choices
sa-04.02_odp.01		Select one-or-more: security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; {{ insert: param, sa-04.02_odp.02 }}
sa-04.02_odp.02	design and implementation information	design and implementation information is defined (if selected);
sa-04.02_odp.03	level of detail	level of detail is defined;

—

SA-04(03)

Development Methods, Techniques, and Practices 8 params

Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: (a) {{ insert: param, sa-04.03_odp.01 }};...

► View parameters

Param ID	Label	Constraint / Choices
sa-04.03_odp.01	systems engineering methods	systems engineering methods are defined;
sa-04.03_odp.02		Select one-or-more: {{ insert: param, sa-04.03_odp.03 }} ; {{ insert: param, sa-04.03_odp.04 }}
sa-04.03_odp.03	system security engineering methods	system security engineering methods are defined (if selected);
sa-04.03_odp.04	privacy engineering methods	privacy engineering methods are defined (if selected);
sa-04.03_odp.05		Select one-or-more: {{ insert: param, sa-04.03_odp.06 }} ; {{ insert: param, sa-04.03_odp.07 }} ; {{ insert: param, sa-04.03_odp.08 }}
sa-04.03_odp.06	software development methods	software development methods are defined (if selected);
sa-04.03_odp.07	testing, evaluation, assessment, verification, and validation methods	testing, evaluation, assessment, verification, and validation methods are defined (if selected);
sa-04.03_odp.08	quality control processes	quality control processes are defined (if selected);

—

SA-04(04)

Assignment of Components to Systems

—

SA-04(05)

System, Component, and Service Configurations 1 param

Require the developer of the system, system component, or system service to: (a) Deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented; and (b) Use the co...

► View parameters

Param ID	Label	Constraint / Choices
sa-04.05_odp	security configurations	security configurations for the system, component, or service are defined;

—

SA-04(06)

Use of Information Assurance Products

(a) Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution ...

—

SA-04(07)

NIAP-approved Protection Profiles

(a) Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against ...

—

SA-04(08)

Continuous Monitoring Plan for Controls

Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring progr...

—

SA-04(09)

Functions, Ports, Protocols, and Services in Use

Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.

—

SA-04(10)

Use of Approved PIV Products

Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.

—

SA-04(11)

System of Records 1 param

Include {{ insert: param, sa-04.11_odp }} in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.

► View parameters

Param ID	Label	Constraint / Choices
sa-04.11_odp	Privacy Act requirements	Privacy Act requirements for the operation of a system of records are defined;

—

SA-04(12)

Data Ownership 1 param

(a) Include organizational data ownership requirements in the acquisition contract; and (b) Require all data to be removed from the contractor’s system and returned to the organization within {...

► View parameters

Param ID	Label	Constraint / Choices
sa-04.12_odp	time frame	time frame to remove data from a contractor system and return it to the organization is defined;

—

SA-05

System Documentation 2 params

a. Obtain or develop administrator documentation for the system, system component, or system service that describes: 1. Secure configuration, installation, and operation of the system, compon...

► View parameters

Param ID	Label	Constraint / Choices
sa-05_odp.01	actions	actions to take when system, system component, or system service documentation is either unavailable or nonexistent a...
sa-05_odp.02	personnel or roles	personnel or roles to distribute system documentation to is/are defined;

—

SA-05(01)

Functional Properties of Security Controls

—

SA-05(02)

Security-relevant External System Interfaces

—

SA-05(03)

High-level Design

—

SA-05(04)

Low-level Design

—

SA-05(05)

Source Code

—

SA-06

Software Usage Restrictions

—

SA-07

User-installed Software

—

SA-08

Security and Privacy Engineering Principles 3 params

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: p...

► View parameters

Param ID	Label	Constraint / Choices
sa-8_prm_1	organization-defined systems security and privacy engineering principles	Organization-defined
sa-08_odp.01	systems security engineering principles	systems security engineering principles are defined;
sa-08_odp.02	privacy engineering principles	privacy engineering principles are defined;

—

SA-08(01)

Clear Abstractions

Implement the security design principle of clear abstractions.

—

SA-08(02)

Least Common Mechanism 1 param

Implement the security design principle of least common mechanism in {{ insert: param, sa-08.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.02_odp	systems or system components	systems or system components that implement the security design principle of least common mechanism are defined;

—

SA-08(03)

Modularity and Layering 3 params

Implement the security design principles of modularity and layering in {{ insert: param, sa-8.3_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-8.3_prm_1	organization-defined systems or system components	Organization-defined
sa-08.03_odp.01	systems or system components	systems or system components that implement the security design principle of modularity are defined;
sa-08.03_odp.02	systems or system components	systems or system components that implement the security design principle of layering are defined;

—

SA-08(04)

Partially Ordered Dependencies 1 param

Implement the security design principle of partially ordered dependencies in {{ insert: param, sa-08.04_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.04_odp	systems or system components	systems or system components that implement the security design principle of partially ordered dependencies are defined;

—

SA-08(05)

Efficiently Mediated Access 1 param

Implement the security design principle of efficiently mediated access in {{ insert: param, sa-08.05_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.05_odp	systems or system components	systems or system components that implement the security design principle of efficiently mediated access are defined;

—

SA-08(06)

Minimized Sharing 1 param

Implement the security design principle of minimized sharing in {{ insert: param, sa-08.06_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.06_odp	systems or system components	systems or system components that implement the security design principle of minimized sharing are defined;

—

SA-08(07)

Reduced Complexity 1 param

Implement the security design principle of reduced complexity in {{ insert: param, sa-08.07_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.07_odp	systems or system components	systems or system components that implement the security design principle of reduced complexity are defined;

—

SA-08(08)

Secure Evolvability 1 param

Implement the security design principle of secure evolvability in {{ insert: param, sa-08.08_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.08_odp	systems or system components	systems or system components that implement the security design principle of secure evolvability are defined;

—

SA-08(09)

Trusted Components 1 param

Implement the security design principle of trusted components in {{ insert: param, sa-08.09_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.09_odp	systems or system components	systems or system components that implement the security design principle of trusted components are defined;

—

SA-08(10)

Hierarchical Trust 1 param

Implement the security design principle of hierarchical trust in {{ insert: param, sa-08.10_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.10_odp	systems or system components	systems or system components that implement the security design principle of hierarchical trust are defined;

—

SA-08(11)

Inverse Modification Threshold 1 param

Implement the security design principle of inverse modification threshold in {{ insert: param, sa-08.11_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.11_odp	systems or system components	systems or system components that implement the security design principle of inverse modification threshold are defined;

—

SA-08(12)

Hierarchical Protection 1 param

Implement the security design principle of hierarchical protection in {{ insert: param, sa-08.12_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.12_odp	systems or system components	systems or system components that implement the security design principle of hierarchical protection are defined;

—

SA-08(13)

Minimized Security Elements 1 param

Implement the security design principle of minimized security elements in {{ insert: param, sa-08.13_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.13_odp	systems or system components	systems or system components that implement the security design principle of minimized security elements are defined;

—

SA-08(14)

Least Privilege 1 param

Implement the security design principle of least privilege in {{ insert: param, sa-08.14_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.14_odp	systems or system components	systems or system components that implement the security design principle of least privilege are defined;

—

SA-08(15)

Predicate Permission 1 param

Implement the security design principle of predicate permission in {{ insert: param, sa-08.15_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.15_odp	systems or system components	systems or system components that implement the security design principle of predicate permission are defined;

—

SA-08(16)

Self-reliant Trustworthiness 1 param

Implement the security design principle of self-reliant trustworthiness in {{ insert: param, sa-08.16_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.16_odp	systems or system components	systems or system components that implement the security design principle of self-reliant trustworthiness are defined;

—

SA-08(17)

Secure Distributed Composition 1 param

Implement the security design principle of secure distributed composition in {{ insert: param, sa-08.17_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.17_odp	systems or system components	systems or system components that implement the security design principle of secure distributed composition are defined;

—

SA-08(18)

Trusted Communications Channels 1 param

Implement the security design principle of trusted communications channels in {{ insert: param, sa-08.18_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.18_odp	systems or system components	systems or system components that implement the security design principle of trusted communications channels are defi...

—

SA-08(19)

Continuous Protection 1 param

Implement the security design principle of continuous protection in {{ insert: param, sa-08.19_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.19_odp	systems or system components	systems or system components that implement the security design principle of continuous protection are defined;

—

SA-08(20)

Secure Metadata Management 1 param

Implement the security design principle of secure metadata management in {{ insert: param, sa-08.20_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.20_odp	systems or system components	systems or system components that implement the security design principle of secure metadata management are defined;

—

SA-08(21)

Self-analysis 1 param

Implement the security design principle of self-analysis in {{ insert: param, sa-08.21_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.21_odp	systems or system components	systems or system components that implement the security design principle of self-analysis are defined;

—

SA-08(22)

Accountability and Traceability 3 params

Implement the security design principle of accountability and traceability in {{ insert: param, sa-8.22_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-8.22_prm_1	organization-defined systems or system components	Organization-defined
sa-08.22_odp.01	systems or system components	systems or system components that implement the security design principle of accountability are defined;
sa-08.22_odp.02	systems or system components	systems or system components that implement the security design principle of traceability are defined;

—

SA-08(23)

Secure Defaults 1 param

Implement the security design principle of secure defaults in {{ insert: param, sa-08.23_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.23_odp	systems or system components	systems or system components that implement the security design principle of secure defaults are defined;

—

SA-08(24)

Secure Failure and Recovery 3 params

Implement the security design principle of secure failure and recovery in {{ insert: param, sa-8.24_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-8.24_prm_1	organization-defined systems or system components	Organization-defined
sa-08.24_odp.01	systems or system components	systems or system components that implement the security design principle of secure failure are defined;
sa-08.24_odp.02	systems or system components	systems or system components that implement the security design principle of secure recovery are defined;

—

SA-08(25)

Economic Security 1 param

Implement the security design principle of economic security in {{ insert: param, sa-08.25_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.25_odp	systems or system components	systems or system components that implement the security design principle of economic security are defined;

—

SA-08(26)

Performance Security 1 param

Implement the security design principle of performance security in {{ insert: param, sa-08.26_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.26_odp	systems or system components	systems or system components that implement the security design principle of performance security are defined;

—

SA-08(27)

Human Factored Security 1 param

Implement the security design principle of human factored security in {{ insert: param, sa-08.27_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.27_odp	systems or system components	systems or system components that implement the security design principle of human factored security are defined;

—

SA-08(28)

Acceptable Security 1 param

Implement the security design principle of acceptable security in {{ insert: param, sa-08.28_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.28_odp	systems or system components	systems or system components that implement the security design principle of acceptable security are defined;

—

SA-08(29)

Repeatable and Documented Procedures 1 param

Implement the security design principle of repeatable and documented procedures in {{ insert: param, sa-08.29_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.29_odp	systems or system components	systems or system components that implement the security design principle of repeatable and documented procedures are...

—

SA-08(30)

Procedural Rigor 1 param

Implement the security design principle of procedural rigor in {{ insert: param, sa-08.30_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.30_odp	systems or system components	systems or system components that implement the security design principle of procedural rigor are defined;

—

SA-08(31)

Secure System Modification 1 param

Implement the security design principle of secure system modification in {{ insert: param, sa-08.31_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.31_odp	systems or system components	systems or system components that implement the security design principle of secure system modification are defined;

—

SA-08(32)

Sufficient Documentation 1 param

Implement the security design principle of sufficient documentation in {{ insert: param, sa-08.32_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.32_odp	systems or system components	systems or system components that implement the security design principle of sufficient documentation are defined;

—

SA-08(33)

Minimization 1 param

Implement the privacy principle of minimization using {{ insert: param, sa-08.33_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-08.33_odp	processes	processes that implement the privacy principle of minimization are defined;

—

SA-09

External System Services 2 params

a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }}; b. Defin...

► View parameters

Param ID	Label	Constraint / Choices
sa-09_odp.01	controls	controls to be employed by external system service providers are defined;
sa-09_odp.02	processes, methods, and techniques	processes, methods, and techniques employed to monitor control compliance by external service providers are defined;

—

SA-09(01)

Risk Assessments and Organizational Approvals 1 param

(a) Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and (b) Verify that the acquisition or outsourcing of dedicated inform...

► View parameters

Param ID	Label	Constraint / Choices
sa-09.01_odp	personnel or roles	personnel or roles that approve the acquisition or outsourcing of dedicated information security services is/are defi...

—

SA-09(02)

Identification of Functions, Ports, Protocols, and Services 1 param

Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ insert: param, sa-09.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-09.02_odp	external system services	external system services that require the identification of functions, ports, protocols, and other services are defined;

—

SA-09(03)

Establish and Maintain Trust Relationship with Providers 3 params

Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: {{ insert: param, sa-9.3_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-9.3_prm_1	organization-defined security and privacy requirements, properties, factors, or conditions defining acceptable trust relationships	Organization-defined
sa-09.03_odp.01	security requirements, properties, factors, or conditions	security requirements, properties, factors, or conditions defining acceptable trust relationships on which a trust re...
sa-09.03_odp.02	privacy requirements, properties, factors, or conditions	privacy requirements, properties, factors, or conditions defining acceptable trust relationships on which a trust rel...

—

SA-09(04)

Consistent Interests of Consumers and Providers 2 params

Take the following actions to verify that the interests of {{ insert: param, sa-09.04_odp.01 }} are consistent with and reflect organizational interests: {{ insert: param, sa-09.04_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-09.04_odp.01	external service providers	external service providers are defined;
sa-09.04_odp.02	actions	actions to be taken to verify that the interests of external service providers are consistent with and reflect organi...

—

SA-09(05)

Processing, Storage, and Service Location 3 params

Restrict the location of {{ insert: param, sa-09.05_odp.01 }} to {{ insert: param, sa-09.05_odp.02 }} based on {{ insert: param, sa-09.05_odp.03 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-09.05_odp.01		Select one-or-more: information processing; information or data; system services
sa-09.05_odp.02	locations	locations where {{ insert: param, sa-09.05_odp.01 }} is/are to be restricted are defined;
sa-09.05_odp.03	requirements	requirements or conditions for restricting the location of {{ insert: param, sa-09.05_odp.01 }} are defined;

—

SA-09(06)

Organization-controlled Cryptographic Keys

Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.

—

SA-09(07)

Organization-controlled Integrity Checking

Provide the capability to check the integrity of information while it resides in the external system.

—

SA-09(08)

Processing and Storage Location — U.S. Jurisdiction

Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States.

—

SA-10

Developer Configuration Management 3 params

Require the developer of the system, system component, or system service to: a. Perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }}; b. Docum...

► View parameters

Param ID	Label	Constraint / Choices
sa-10_odp.01		Select one-or-more: design; development; implementation; operation; disposal
sa-10_odp.02	configuration items	configuration items under configuration management are defined;
sa-10_odp.03	personnel	personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is/are de...

—

SA-10(01)

Software and Firmware Integrity Verification

Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.

—

SA-10(02)

Alternative Configuration Management Processes

Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.

—

SA-10(03)

Hardware Integrity Verification

Require the developer of the system, system component, or system service to enable integrity verification of hardware components.

—

SA-10(04)

Trusted Generation

Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions, source code, and object c...

—

SA-10(05)

Mapping Integrity for Version Control

Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data describing the current version of security-relevant h...

—

SA-10(06)

Trusted Distribution

Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organi...

—

SA-10(07)

Security and Privacy Representatives 6 params

Require {{ insert: param, sa-10.7_prm_1 }} to be included in the {{ insert: param, sa-10.7_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-10.7_prm_1	organization-defined security and privacy representatives	Organization-defined
sa-10.7_prm_2	organization-defined configuration change management and control process	Organization-defined
sa-10.07_odp.01	security representatives	security representatives to be included in the configuration change management and control process are defined;
sa-10.07_odp.02	privacy representatives	privacy representatives to be included in the configuration change management and control process are defined;
sa-10.07_odp.03	configuration change management and control processes	configuration change management and control processes in which security representatives are required to be included a...
sa-10.07_odp.04	configuration change management and control processes	configuration change management and control processes in which privacy representatives are required to be included ar...

—

└ sa-10a

Perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};

—

└ sa-10b

Document, manage, and control the integrity of changes to {{ insert: param, sa-10_odp.02 }};

—

└ sa-10c

Implement only organization-approved changes to the system, component, or service;

—

└ sa-10d

Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and

—

└ sa-10e

Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_odp.03 }}.

—

SA-11

Developer Testing and Evaluation 3 params

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security ...

► View parameters

Param ID	Label	Constraint / Choices
sa-11_odp.01		Select one-or-more: unit; integration; system; regression
sa-11_odp.02	frequency to conduct	frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;
sa-11_odp.03	depth and coverage	depth and coverage of {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;

—

SA-11(01)

Static Code Analysis

Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

—

SA-11(02)

Threat Modeling and Vulnerability Analyses 8 params

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the sy...

► View parameters

Param ID	Label	Constraint / Choices
sa-11.2_prm_3	organization-defined breadth and depth of modeling and analyses	Organization-defined
sa-11.2_prm_4	organization-defined acceptance criteria	Organization-defined
sa-11.02_odp.01	information	information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be ...
sa-11.02_odp.02	tools and methods	the tools and methods to be employed for threat modeling and vulnerability analyses are defined;
sa-11.02_odp.03	breadth and depth	the breadth and depth of threat modeling to be conducted is defined;
sa-11.02_odp.04	breadth and depth	the breadth and depth of vulnerability analyses to be conducted is defined;
sa-11.02_odp.05	acceptance criteria	acceptance criteria to be met by produced evidence for threat modeling are defined;
sa-11.02_odp.06	acceptance criteria	acceptance criteria to be met by produced evidence for vulnerability analyses are defined;

—

SA-11(03)

Independent Verification of Assessment Plans and Evidence 1 param

(a) Require an independent agent satisfying {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced...

► View parameters

Param ID	Label	Constraint / Choices
sa-11.03_odp	independence criteria	independence criteria to be satisfied by an independent agent are defined;

—

SA-11(04)

Manual Code Reviews 2 params

Require the developer of the system, system component, or system service to perform a manual code review of {{ insert: param, sa-11.04_odp.01 }} using the following processes, procedures, and/or te...

► View parameters

Param ID	Label	Constraint / Choices
sa-11.04_odp.01	specific code	specific code requiring manual code review is defined;
sa-11.04_odp.02	processes, procedures, and/or techniques	processes, procedures, and/or techniques used for manual code reviews are defined;

—

SA-11(05)

Penetration Testing 4 params

Require the developer of the system, system component, or system service to perform penetration testing: (a) At the following level of rigor: {{ insert: param, sa-11.5_prm_1 }} ; and (b) Under ...

► View parameters

Param ID	Label	Constraint / Choices
sa-11.5_prm_1	organization-defined breadth and depth of testing	Organization-defined
sa-11.05_odp.01	breadth	the breadth of penetration testing is defined;
sa-11.05_odp.02	depth	the depth of penetration testing is defined;
sa-11.05_odp.03	constraints	constraints of penetration testing are defined;

—

SA-11(06)

Attack Surface Reviews

Require the developer of the system, system component, or system service to perform attack surface reviews.

—

SA-11(07)

Verify Scope of Testing and Evaluation 3 params

Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following leve...

► View parameters

Param ID	Label	Constraint / Choices
sa-11.7_prm_1	organization-defined breadth and depth of testing and evaluation	Organization-defined
sa-11.07_odp.01	breadth	the breadth of testing and evaluation of required controls is defined;
sa-11.07_odp.02	depth	the depth of testing and evaluation of required controls is defined;

—

SA-11(08)

Dynamic Code Analysis

Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.

—

SA-11(09)

Interactive Application Security Testing

Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.

—

└ sa-11.2.(a)

Uses the following contextual information: {{ insert: param, sa-11.02_odp.01 }};

—

└ sa-11.2.(b)

Employs the following tools and methods: {{ insert: param, sa-11.02_odp.02 }};

—

└ sa-11.2.(c)

Conducts the modeling and analyses at the following level of rigor: {{ insert: param, sa-11.2_prm_3 }} ; and

—

└ sa-11.2.(d)

Produces evidence that meets the following acceptance criteria: {{ insert: param, sa-11.2_prm_4 }}.

—

└ sa-11.3.(a)

Require an independent agent satisfying {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer security and privac...

—

└ sa-11.3.(b)

Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain s...

—

└ sa-11.5.(a)

At the following level of rigor: {{ insert: param, sa-11.5_prm_1 }} ; and

—

└ sa-11.5.(b)

Under the following constraints: {{ insert: param, sa-11.05_odp.03 }}.

—

└ sa-11a

Develop and implement a plan for ongoing security and privacy control assessments;

—

└ sa-11b

Perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};

—

└ sa-11c

Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;

—

└ sa-11d

Implement a verifiable flaw remediation process; and

—

└ sa-11e

Correct flaws identified during testing and evaluation.

—

SA-12

Supply Chain Protection

—

SA-12(01)

Acquisition Strategies / Tools / Methods

—

SA-12(02)

Supplier Reviews

—

SA-12(03)

Trusted Shipping and Warehousing

—

SA-12(04)

Diversity of Suppliers

—

SA-12(05)

Limitation of Harm

—

SA-12(06)

Minimizing Procurement Time

—

SA-12(07)

Assessments Prior to Selection / Acceptance / Update

—

SA-12(08)

Use of All-source Intelligence

—

SA-12(09)

Operations Security

—

SA-12(10)

Validate as Genuine and Not Altered

—

SA-12(11)

Penetration Testing / Analysis of Elements, Processes, and Actors

—

SA-12(12)

Inter-organizational Agreements

—

SA-12(13)

Critical Information System Components

—

SA-12(14)

Identity and Traceability

—

SA-12(15)

Processes to Address Weaknesses or Deficiencies

—

SA-13

Trustworthiness

—

SA-14

Criticality Analysis

—

SA-14(01)

Critical Components with No Viable Alternative Sourcing

—

SA-15

Development Process, Standards, and Tools 4 params

a. Require the developer of the system, system component, or system service to follow a documented development process that: 1. Explicitly addresses security and privacy requirements; 2. ...

► View parameters

Param ID	Label	Constraint / Choices
sa-15_prm_2	organization-defined security and privacy requirements	Organization-defined
sa-15_odp.01	frequency	frequency at which to review the development process, standards, tools, tool options, and tool configurations is defi...
sa-15_odp.02	security requirements	security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are def...
sa-15_odp.03	privacy requirements	privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defi...

—

SA-15(01)

Quality Metrics 3 params

Require the developer of the system, system component, or system service to: (a) Define quality metrics at the beginning of the development process; and (b) Provide evidence of meeting the qual...

► View parameters

Param ID	Label	Constraint / Choices
sa-15.01_odp.01		Select one-or-more: {{ insert: param, sa-15.01_odp.02 }} ; {{ insert: param, sa-15.01_odp.03 }} ; upon delivery
sa-15.01_odp.02	frequency	frequency at which to provide evidence of meeting the quality metrics is defined (if selected);
sa-15.01_odp.03	program review	program review milestones are defined (if selected);

—

SA-15(02)

Security and Privacy Tracking Tools

Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process.

—

SA-15(03)

Criticality Analysis 4 params

Require the developer of the system, system component, or system service to perform a criticality analysis: (a) At the following decision points in the system development life cycle: {{ insert: p...

► View parameters

Param ID	Label	Constraint / Choices
sa-15.3_prm_2	organization-defined breadth and depth of criticality analysis	Organization-defined
sa-15.03_odp.01	decision points	decision points in the system development life cycle are defined;
sa-15.03_odp.02	breadth	the breadth of criticality analysis is defined;
sa-15.03_odp.03	depth	the depth of criticality analysis is defined;

—

SA-15(04)

Threat Modeling and Vulnerability Analysis

—

SA-15(05)

Attack Surface Reduction 1 param

Require the developer of the system, system component, or system service to reduce attack surfaces to {{ insert: param, sa-15.05_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-15.05_odp	thresholds	thresholds to which attack surfaces are to be reduced are defined;

—

SA-15(06)

Continuous Improvement

Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.

—

SA-15(07)

Automated Vulnerability Analysis 3 params

Require the developer of the system, system component, or system service {{ insert: param, sa-15.07_odp.01 }} to: (a) Perform an automated vulnerability analysis using {{ insert: param, sa-15.07_...

► View parameters

Param ID	Label	Constraint / Choices
sa-15.07_odp.01	frequency	frequency at which to conduct vulnerability analysis is defined;
sa-15.07_odp.02	tools	tools used to perform automated vulnerability analysis are defined;
sa-15.07_odp.03	personnel or roles	personnel or roles to whom the outputs of tools and results of the analysis are to be delivered is/are defined;

—

SA-15(08)

Reuse of Threat and Vulnerability Information

Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current develo...

—

SA-15(09)

Use of Live Data

—

SA-15(10)

Incident Response Plan

Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan.

—

SA-15(11)

Archive System or Component

Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and pri...

—

SA-15(12)

Minimize Personally Identifiable Information

Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.

—

SA-15(13)

Logging Syntax 3 params

Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.

► View parameters

Param ID	Label	Constraint / Choices
sa-15.13_odp.01	secure logging format(s)	secure logging format(s) are defined;
sa-15.13_odp.02	events types to log	events types to log are defined;
sa-15.13_odp.03	level of detail to log	level of detail to log is defined;

—

└ sa-15.1.(a)

Define quality metrics at the beginning of the development process; and

—

└ sa-15.1.(b)

Provide evidence of meeting the quality metrics {{ insert: param, sa-15.01_odp.01 }}.

—

└ sa-15.3.(a)

At the following decision points in the system development life cycle: {{ insert: param, sa-15.03_odp.01 }} ; and

—

└ sa-15.3.(b)

At the following level of rigor: {{ insert: param, sa-15.3_prm_2 }}.

—

└ sa-15.7.(a)

Perform an automated vulnerability analysis using {{ insert: param, sa-15.07_odp.02 }};

—

└ sa-15.7.(b)

Determine the exploitation potential for discovered vulnerabilities;

—

└ sa-15.7.(c)

Determine potential risk mitigations for delivered vulnerabilities; and

—

└ sa-15.7.(d)

Deliver the outputs of the tools and results of the analysis to {{ insert: param, sa-15.07_odp.03 }}.

—

└ sa-15a

Require the developer of the system, system component, or system service to follow a documented development process that:

—

└ sa-15a.1

Explicitly addresses security and privacy requirements;

—

└ sa-15a.2

Identifies the standards and tools used in the development process;

—

└ sa-15a.3

Documents the specific tool options and tool configurations used in the development process; and

—

└ sa-15a.4

Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and

—

└ sa-15b

Review the development process, standards, tools, tool options, and tool configurations {{ insert: param, sa-15_odp.01 }} to determine if the proce...

—

SA-16

Developer-provided Training 1 param

Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, contro...

► View parameters

Param ID	Label	Constraint / Choices
sa-16_odp	training	training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechani...

—

SA-17

Developer Security and Privacy Architecture and Design

Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that: a. Is consistent with the organization’s sec...

—

SA-17(01)

Formal Policy Model 3 params

Require the developer of the system, system component, or system service to: (a) Produce, as an integral part of the development process, a formal policy model describing the {{ insert: param, sa...

► View parameters

Param ID	Label	Constraint / Choices
sa-17.1_prm_1	organization-defined elements of organizational security and privacy policy	Organization-defined
sa-17.01_odp.01	organizational security policy	organizational security policy to be enforced is defined;
sa-17.01_odp.02	organizational privacy policy	organizational privacy policy to be enforced is defined;

—

SA-17(02)

Security-relevant Components

Require the developer of the system, system component, or system service to: (a) Define security-relevant hardware, software, and firmware; and (b) Provide a rationale that the definition for s...

—

SA-17(03)

Formal Correspondence

Require the developer of the system, system component, or system service to: (a) Produce, as an integral part of the development process, a formal top-level specification that specifies the inter...

—

SA-17(04)

Informal Correspondence 1 param

Require the developer of the system, system component, or system service to: (a) Produce, as an integral part of the development process, an informal descriptive top-level specification that spec...

► View parameters

Param ID	Label	Constraint / Choices
sa-17.04_odp		Select one: informal demonstration, convincing argument with formal methods as feasible

—

SA-17(05)

Conceptually Simple Design

Require the developer of the system, system component, or system service to: (a) Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple...

—

SA-17(06)

Structure for Testing

Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate testing.

—

SA-17(07)

Structure for Least Privilege

Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.

—

SA-17(08)

Orchestration 2 params

Design {{ insert: param, sa-17.08_odp.01 }} with coordinated behavior to implement the following capabilities: {{ insert: param, sa-17.08_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-17.08_odp.01	critical systems	critical systems or system components are defined;
sa-17.08_odp.02	capabilities	capabilities to be implemented by systems or components are defined;

—

SA-17(09)

Design Diversity 1 param

Use different designs for {{ insert: param, sa-17.09_odp }} to satisfy a common set of requirements or to provide equivalent functionality.

► View parameters

Param ID	Label	Constraint / Choices
sa-17.09_odp	critical systems	critical systems or system components to be designed differently are defined;

—

└ sa-17.1.(a)

Produce, as an integral part of the development process, a formal policy model describing the {{ insert: param, sa-17.1_prm_1 }} to be enforced; and

—

└ sa-17.1.(b)

Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security and priva...

—

└ sa-17.2.(a)

Define security-relevant hardware, software, and firmware; and

—

└ sa-17.2.(b)

Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.

—

└ sa-17.3.(a)

Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardwa...

—

└ sa-17.3.(b)

Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent wi...

—

└ sa-17.3.(c)

Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, ...

—

└ sa-17.3.(d)

Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and

—

└ sa-17.3.(e)

Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly interna...

—

└ sa-17.4.(a)

Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-...

—

└ sa-17.4.(b)

Show via {{ insert: param, sa-17.04_odp }} that the descriptive top-level specification is consistent with the formal policy model;

—

└ sa-17.4.(c)

Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, softw...

—

└ sa-17.4.(d)

Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmwar...

—

└ sa-17.4.(e)

Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly in...

—

└ sa-17.5.(a)

Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precis...

—

└ sa-17.5.(b)

Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.

—

└ sa-17a

Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture;

—

└ sa-17b

Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical comp...

—

└ sa-17c

Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabiliti...

—

SA-18

Tamper Resistance and Detection

—

SA-18(01)

Multiple Phases of System Development Life Cycle

—

SA-18(02)

Inspection of Systems or Components

—

SA-19

Component Authenticity

—

SA-19(01)

Anti-counterfeit Training

—

SA-19(02)

Configuration Control for Component Service and Repair

—

SA-19(03)

Component Disposal

—

SA-19(04)

Anti-counterfeit Scanning

—

└ sa-1a

Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:

—

└ sa-1a.1

{{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:

—

└ sa-1a.1.(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

—

└ sa-1a.1.(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

—

└ sa-1a.2

Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;

—

└ sa-1b

Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition p...

—

└ sa-1c

Review and update the current system and services acquisition:

—

└ sa-1c.1

Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and

—

└ sa-1c.2

Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}.

—

SA-20

Customized Development of Critical Components 1 param

Reimplement or custom develop the following critical system components: {{ insert: param, sa-20_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sa-20_odp	critical system	critical system components to be reimplemented or custom-developed are defined;

—

SA-21

Developer Screening 3 params

Require that the developer of {{ insert: param, sa-21_odp.01 }}: a. Has appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }} ; and b. Satisfies the foll...

► View parameters

Param ID	Label	Constraint / Choices
sa-21_odp.01	system, systems component, or system service	the system, systems component, or system service that the developer has access to is/are defined;
sa-21_odp.02	official government duties	official government duties assigned to the developer are defined;
sa-21_odp.03	additional personnel screening criteria	additional personnel screening criteria for the developer are defined;

—

SA-21(01)

Validation of Screening

—

└ sa-21a

Has appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }} ; and

—

└ sa-21b

Satisfies the following additional personnel screening criteria: {{ insert: param, sa-21_odp.03 }}.

—

SA-22

Unsupported System Components 2 params

a. Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or b. Provide the following options for alternative sources for ...

► View parameters

Param ID	Label	Constraint / Choices
sa-22_odp.01		Select one-or-more: in-house support; {{ insert: param, sa-22_odp.02 }}
sa-22_odp.02	support from external providers	support from external providers is defined (if selected);

—

SA-22(01)

Alternative Sources for Continued Support

—

└ sa-22a

Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or

—

└ sa-22b

Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}.

—

SA-23

Specialization 2 params

Employ {{ insert: param, sa-23_odp.01 }} on {{ insert: param, sa-23_odp.02 }} supporting mission essential services or functions to increase the trustworthiness in those systems or components.

► View parameters

Param ID	Label	Constraint / Choices
sa-23_odp.01		Select one-or-more: design modification; augmentation; reconfiguration
sa-23_odp.02	systems or system components	systems or system components supporting mission-essential services or functions are defined;

—

SA-24

Design For Cyber Resiliency 5 params

a. Design organizational systems, system components, or system services to achieve cyber resiliency by: 1. Defining the following cyber resiliency goals: {{ insert: param, sa-24_odp.01 }}. ...

► View parameters

Param ID	Label	Constraint / Choices
sa-24_odp.01	cyber resiliency goals	cyber resiliency goals are defined;
sa-24_odp.02	cyber resiliency objectives	cyber resiliency objectives are defined;
sa-24_odp.03	cyber resiliency techniques	cyber resiliency techniques are defined;
sa-24_odp.04	cyber resiliency implementation approaches	cyber resiliency implementation approaches are defined;
sa-24_odp.05	cyber resiliency design principles	cyber resiliency design principles are defined;

—

└ sa-24a

Design organizational systems, system components, or system services to achieve cyber resiliency by:

—

└ sa-24a.1

Defining the following cyber resiliency goals: {{ insert: param, sa-24_odp.01 }}.

—

└ sa-24a.2

Defining the following cyber resiliency objectives: {{ insert: param, sa-24_odp.02 }}.

—

└ sa-24a.3

Defining the following cyber resiliency techniques: {{ insert: param, sa-24_odp.03 }}.

—

└ sa-24a.4

Defining the following cyber resiliency implementation approaches: {{ insert: param, sa-24_odp.04 }}.

—

└ sa-24a.5

Defining the following cyber resiliency design principles: {{ insert: param, sa-24_odp.05 }}.

—

└ sa-24b

Implement the selected cyber resiliency goals, objectives, techniques, implementation approaches, and design principles as part of an organizationa...

—

└ sa-2a

Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;

—

└ sa-2b

Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and...

—

└ sa-2c

Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.

—

└ sa-3.2.(a)

Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and

—

└ sa-3.2.(b)

Protect preproduction environments for the system, system component, or system service at the same impact or classification level as any live data ...

—

└ sa-3a

Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;

—

└ sa-3b

Define and document information security and privacy roles and responsibilities throughout the system development life cycle;

—

└ sa-3c

Identify individuals having information security and privacy roles and responsibilities; and

—

└ sa-3d

Integrate the organizational information security and privacy risk management process into system development life cycle activities.

—

└ sa-4.12.(a)

Include organizational data ownership requirements in the acquisition contract; and

—

└ sa-4.12.(b)

Require all data to be removed from the contractor’s system and returned to the organization within {{ insert: param, sa-04.12_odp }}.

—

└ sa-4.3.(a)

{{ insert: param, sa-04.03_odp.01 }};

—

└ sa-4.3.(b)

{{ insert: param, sa-04.03_odp.02 }} ; and

—

└ sa-4.3.(c)

{{ insert: param, sa-04.03_odp.05 }}.

—

└ sa-4.5.(a)

Deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented; and

—

└ sa-4.5.(b)

Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

—

└ sa-4.6.(a)

Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology pro...

—

└ sa-4.6.(b)

Ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.

—

└ sa-4.7.(a)

Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products th...

—

└ sa-4.7.(b)

Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product re...

—

└ sa-4a

Security and privacy functional requirements;

—

└ sa-4b

Strength of mechanism requirements;

—

└ sa-4c

Security and privacy assurance requirements;

—

└ sa-4d

Controls needed to satisfy the security and privacy requirements.

—

└ sa-4e

Security and privacy documentation requirements;

—

└ sa-4f

Requirements for protecting security and privacy documentation;

—

└ sa-4g

Description of the system development environment and environment in which the system is intended to operate;

—

└ sa-4h

Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and

—

└ sa-4i

Acceptance criteria.

—

└ sa-5a

Obtain or develop administrator documentation for the system, system component, or system service that describes:

—

└ sa-5a.1

Secure configuration, installation, and operation of the system, component, or service;

—

└ sa-5a.2

Effective use and maintenance of security and privacy functions and mechanisms; and

—

└ sa-5a.3

Known vulnerabilities regarding configuration and use of administrative or privileged functions;

—

└ sa-5b

Obtain or develop user documentation for the system, system component, or system service that describes:

—

└ sa-5b.1

User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;

—

└ sa-5b.2

Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual pri...

—

└ sa-5b.3

User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;

—

└ sa-5c

Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent ...

—

└ sa-5d

Distribute documentation to {{ insert: param, sa-05_odp.02 }}.

—

└ sa-9.1.(a)

Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and

—

└ sa-9.1.(b)

Verify that the acquisition or outsourcing of dedicated information security services is approved by {{ insert: param, sa-09.01_odp }}.

—

└ sa-9a

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: ...

—

└ sa-9b

Define and document organizational oversight and user roles and responsibilities with regard to external system services; and

—

└ sa-9c

Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert:...

—