SA-20: Customized Development of Critical Components

CSF v1.1 References:


  • Low


  • Moderate


  • High


  • Privacy


Previous Version:

Control Statement

Reimplement or custom develop the following critical system components: [Assignment: organization-defined critical system components].

Supplemental Guidance

Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to adequately mitigate risk. Reimplementation or custom development of such components may satisfy requirements for higher assurance and is carried out by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed. In situations where no alternative sourcing is available and organizations choose not to reimplement or custom develop critical system components, additional controls can be employed. Controls include enhanced auditing, restrictions on source code and system utility access, and protection from deletion of system and application files.