SA-4: Acquisition Process

CSF v1.1 References:

PF v1.0 References:

Baselines:

Next Version:

Control Statement

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

  1. Security functional requirements;
  2. Security strength requirements;
  3. Security assurance requirements;
  4. Security-related documentation requirements;
  5. Requirements for protecting security-related documentation;
  6. Description of the information system development environment and environment in which the system is intended to operate; and
  7. Acceptance criteria.

Supplemental Guidance

Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.

Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA.

Control Enhancements

SA-4(1): Functional Properties Of Security Controls

Baseline(s):

  • Moderate
  • High

The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

SA-4(2): Design / Implementation Information For Security Controls

Baseline(s):

  • Moderate
  • High

The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level…

SA-4(3): Development Methods / Techniques / Practices

Baseline(s):

(Not part of any baseline)

The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes [Assignment: organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes].

SA-4(5): System / Component / Service Configurations

Baseline(s):

(Not part of any baseline)

The organization requires the developer of the information system, system component, or information system service to: Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

SA-4(6): Use Of Information Assurance Products

Baseline(s):

(Not part of any baseline)

The organization: Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and Ensures that these products have been evaluated…

SA-4(7): Niap-Approved Protection Profiles

Baseline(s):

(Not part of any baseline)

The organization: Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and Requires, if no NIAP-approved Protection Profile exists for a specific technology…

SA-4(8): Continuous Monitoring Plan

Baseline(s):

(Not part of any baseline)

The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail].

SA-4(9): Functions / Ports / Protocols / Services In Use

Baseline(s):

  • Moderate
  • High

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

SA-4(10): Use Of Approved Piv Products

Baseline(s):

  • Low
  • Moderate
  • High

The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.