SA-4: Acquisition Process

Control Family:

System and Services Acquisition

CSF v1.1 References:

PF v1.0 References:

Baselines:

Previous Version:

Control Statement

Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Assignment (one or more): standardized contract language, [Assignment: organization-defined contract language] ] in the acquisition contract for the system, system component, or system service:

  1. Security and privacy functional requirements;
  2. Strength of mechanism requirements;
  3. Security and privacy assurance requirements;
  4. Controls needed to satisfy the security and privacy requirements.
  5. Security and privacy documentation requirements;
  6. Requirements for protecting security and privacy documentation;
  7. Description of the system development environment and environment in which the system is intended to operate;
  8. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and
  9. Acceptance criteria.

Supplemental Guidance

Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. SP 800-160-1 describes the process of requirements engineering as part of the system development life cycle.

Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.

Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement.

Control Enhancements

SA-4(1): Functional Properties of Controls

Baseline(s):

  • Moderate
  • High

Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.

SA-4(2): Design and Implementation Information for Controls

Baseline(s):

  • Moderate
  • High

Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: [Assignment (one or more): security-relevant external system interfaces, high-level design, low-level design, source code or hardware schematics, [Assignment: organization-defined design and implementation information] ] at [Assignment: organization-defined level of detail].

SA-4(3): Development Methods, Techniques, and Practices

Baseline(s):

(Not part of any baseline)

Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: [Assignment: organization-defined systems engineering methods]; <assign:#>organization-defined [Assignment (one or more): systems security, privacy engineering methods]; and [Assignment: organization-defined software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control…

SA-4(5): System, Component, and Service Configurations

Baseline(s):

  • High

Require the developer of the system, system component, or system service to: Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

SA-4(6): Use of Information Assurance Products

Baseline(s):

(Not part of any baseline)

Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and Ensure that these products have been evaluated and/or validated by NSA…

SA-4(7): Niap-approved Protection Profiles

Baseline(s):

(Not part of any baseline)

Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and Require, if no NIAP-approved Protection Profile exists for a specific technology type but…

SA-4(8): Continuous Monitoring Plan for Controls

Baseline(s):

(Not part of any baseline)

Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.

SA-4(10): Use of Approved Piv Products

Baseline(s):

  • Low
  • Moderate
  • High

Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.

SA-4(11): System of Records

Baseline(s):

(Not part of any baseline)

Include [Assignment: organization-defined Privacy Act requirements] in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.

SA-4(12): Data Ownership

Baseline(s):

(Not part of any baseline)

Include organizational data ownership requirements in the acquisition contract; and Require all data to be removed from the contractor’s system and returned to the organization within [Assignment: organization-defined time frame].

Related Controls

NIST Special Publication 800-53 Revision 5

Cloud Controls Matrix v3.0.1

Critical Security Controls Version 8

Critical Security Controls Version 7.1