SA-4(5): System, Component, and Service Configurations

Control Family:

System and Services Acquisition

Parent Control:

SA-4: Acquisition Process

CSF v1.1 References:

ID.SC-3
PR.IP-2
DE.CM-6

Baselines:

High

Previous Version:

NIST Special Publication 800-53 Revision 4:
SA-4(5): System / Component / Service Configurations

Control Statement

Require the developer of the system, system component, or system service to:

Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and
Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

Supplemental Guidance

Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed.