SA-4(6): Use Of Information Assurance Products

Control Family:

System And Services Acquisition

Parent Control:

SA-4: Acquisition Process

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

Baselines:

(Not part of any baseline)

Next Version:

NIST Special Publication 800-53 Revision 5:
SA-4(6): Use of Information Assurance Products

Control Statement

The organization:

Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and
Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.

Supplemental Guidance

COTS IA or IA-enabled information technology products used to protect classified information by cryptographic means may be required to use NSA-approved key management.