SA: System And Services Acquisition

Controls

SA-1: System And Services Acquisition Policy And Procedures

Baseline(s):

  • Low
  • Moderate
  • High

The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and Reviews and…

SA-2: Allocation Of Resources

Baseline(s):

  • Low
  • Moderate
  • High

The organization: Determines information security requirements for the information system or information system service in mission/business process planning; Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and Establishes a discrete line item for information security in organizational…

SA-3: System Development Life Cycle

Baseline(s):

  • Low
  • Moderate
  • High

The organization: Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations; Defines and documents information security roles and responsibilities throughout the system development life cycle; Identifies individuals having information security roles and responsibilities; and Integrates the organizational information security risk management process into system development life cycle activities.

SA-4: Acquisition Process

Baseline(s):

  • Low
  • Moderate
  • High

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security functional requirements; Security strength requirements; Security assurance requirements; Security-related documentation…

SA-5: Information System Documentation

Baseline(s):

  • Low
  • Moderate
  • High

The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Secure configuration, installation, and operation of the system, component, or service; Effective use and maintenance of security functions/mechanisms; and Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; Obtains user documentation for the information system, system…

SA-8: Security Engineering Principles

Baseline(s):

  • Moderate
  • High

The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

SA-9: External Information System Services

Baseline(s):

  • Low
  • Moderate
  • High

The organization: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and Employs…

SA-10: Developer Configuration Management

Baseline(s):

  • Moderate
  • High

The organization requires the developer of the information system, system component, or information system service to: Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; Implement only organization-approved changes to the system,…

SA-11: Developer Security Testing And Evaluation

Baseline(s):

  • Moderate
  • High

The organization requires the developer of the information system, system component, or information system service to: Create and implement a security assessment plan; Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; Produce evidence of the execution of the security assessment plan and the results of the security…

SA-12: Supply Chain Protection

Baseline(s):

  • High

The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.

SA-13: Trustworthiness

Baseline(s):

(Not part of any baseline)

The organization: Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness.

SA-14: Criticality Analysis

Baseline(s):

(Not part of any baseline)

The organization identifies critical information system components and functions by performing a criticality analysis for [Assignment: organization-defined information systems, information system components, or information system services] at [Assignment: organization-defined decision points in the system development life cycle].

SA-15: Development Process, Standards, And Tools

Baseline(s):

  • High

The organization: Requires the developer of the information system, system component, or information system service to follow a documented development process that: Explicitly addresses security requirements; Identifies the standards and tools used in the development process; Documents the specific tool options and tool configurations used in the development process; and Documents, manages, and ensures the…

SA-16: Developer-Provided Training

Baseline(s):

  • High

The organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

SA-17: Developer Security Architecture And Design

Baseline(s):

  • High

The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: Is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture; Accurately and completely describes the required security…

SA-18: Tamper Resistance And Detection

Baseline(s):

(Not part of any baseline)

The organization implements a tamper protection program for the information system, system component, or information system service.

SA-19: Component Authenticity

Baseline(s):

(Not part of any baseline)

The organization: Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].

SA-21: Developer Screening

Baseline(s):

(Not part of any baseline)

The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]: Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and Satisfy [Assignment: organization-defined additional personnel screening criteria].

SA-22: Unsupported System Components

Baseline(s):

(Not part of any baseline)

The organization: Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.