System and services acquisition

Estimated reading time: 29 minutes

SA-1 System And Services Acquisition Policy And Procedures

Description

The organization:

  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
  2. Reviews and updates the current:
    1. System and services acquisition policy [Assignment: organization-defined frequency]; and
    2. System and services acquisition procedures [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

SA-2 Allocation Of Resources

Description

The organization:

  1. Determines information security requirements for the information system or information system service in mission/business process planning;
  2. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
  3. Establishes a discrete line item for information security in organizational programming and budgeting documentation.

Control Information

Responsible role(s) - Organization

SA-3 System Development Life Cycle

Description

The organization:

  1. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
  2. Defines and documents information security roles and responsibilities throughout the system development life cycle;
  3. Identifies individuals having information security roles and responsibilities; and
  4. Integrates the organizational information security risk management process into system development life cycle activities.

Control Information

Responsible role(s) - Organization

SA-4 Acquisition Process

Description

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

  1. Security functional requirements;
  2. Security strength requirements;
  3. Security assurance requirements;
  4. Security-related documentation requirements;
  5. Requirements for protecting security-related documentation;
  6. Description of the information system development environment and environment in which the system is intended to operate; and
  7. Acceptance criteria.

Control Information

Responsible role(s) - Organization

SA-4 (1) Functional Properties Of Security Controls

Description

The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

Control Information

Responsible role(s) - Organization

SA-4 (2) Design / Implementation Information For Security Controls

Description

The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail].

Control Information

Responsible role(s) - Organization

SA-4 (3) Development Methods / Techniques / Practices

Description

The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes [Assignment: organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes].

Control Information

Responsible role(s) - Organization

SA-4 (5) System / Component / Service Configurations

Description

The organization requires the developer of the information system, system component, or information system service to:

  1. Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and
  2. Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

Control Information

Responsible role(s) - Organization

SA-4 (6) Use Of Information Assurance Products

Description

The organization:

  1. Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and
  2. Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.

Control Information

Responsible role(s) - Organization

SA-4 (7) Niap-Approved Protection Profiles

Description

The organization:

  1. Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and
  2. Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated.

Control Information

Responsible role(s) - Organization

SA-4 (8) Continuous Monitoring Plan

Description

The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail].

Control Information

Responsible role(s) - Organization

SA-4 (9) Functions / Ports / Protocols / Services In Use

Description

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

Control Information

Responsible role(s) - Organization

SA-4 (10) Use Of Approved Piv Products

Description

The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

Control Information

Responsible role(s) - Organization

SA-5 Information System Documentation

Description

The organization:

  1. Obtains administrator documentation for the information system, system component, or information system service that describes:
    1. Secure configuration, installation, and operation of the system, component, or service;
    2. Effective use and maintenance of security functions/mechanisms; and
    3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
  2. Obtains user documentation for the information system, system component, or information system service that describes:
    1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
    2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
    3. User responsibilities in maintaining the security of the system, component, or service;
  3. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response;
  4. Protects documentation as required, in accordance with the risk management strategy; and
  5. Distributes documentation to [Assignment: organization-defined personnel or roles].

Control Information

Responsible role(s) - Organization

SA-8 Security Engineering Principles

Description

The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

Control Information

Responsible role(s) - Organization

SA-9 External Information System Services

Description

The organization:

  1. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
  2. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
  3. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.

Control Information

Responsible role(s) - Organization

SA-9 (1) Risk Assessments / Organizational Approvals

Description

The organization:

  1. Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
  2. Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].

Control Information

Responsible role(s) - Organization

SA-9 (2) Identification Of Functions / Ports / Protocols / Services

Description

The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services.

Control Information

Responsible role(s) - Organization

SA-9 (3) Establish / Maintain Trust Relationship With Providers

Description

The organization establishes, documents, and maintains trust relationships with external service providers based on [Assignment: organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships].

Control Information

Responsible role(s) - Organization

SA-9 (4) Consistent Interests Of Consumers And Providers

Description

The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests.

Control Information

Responsible role(s) - Organization

SA-9 (5) Processing, Storage, And Service Location

Description

The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions].

Control Information

Responsible role(s) - Organization

SA-10 Developer Configuration Management

Description

The organization requires the developer of the information system, system component, or information system service to:

  1. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
  2. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
  3. Implement only organization-approved changes to the system, component, or service;
  4. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
  5. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].

Control Information

Responsible role(s) - Organization

SA-10 (1) Software / Firmware Integrity Verification

Description

The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
service provider hybrid
Docker Enterprise Edition Engine complete
service provider hybrid
Universal Control Plane (UCP) complete
service provider hybrid

Implementation Details

Docker Content Trust gives you the ability to verify both the integrity and the publisher of all the data received from a Docker Trusted Registry over any channel. It allows operations with a remote DTR instance to enforce client-side signing and verification of image tags. It provides for the ability to use digital signatures for data sent to and receive from remote DTR instances. These signatures allow client-side verification of the integrity and publisher of specific image tags. Docker Trusted Registry includes an integrated imaging signing service.
Docker Content Trust gives you the ability to verify both the integrity and the publisher of all the data received from a Docker Trusted Registry over any channel. It allows operations with a remote DTR instance to enforce client-side signing and verification of image tags. It provides for the ability to use digital signatures for data sent to and receive from remote DTR instances. These signatures allow client-side verification of the integrity and publisher of specific image tags.
The organization is responsible for meeting the requirements of this control. To assist with these requirements, Docker Content Trust gives you the ability to verify both the integrity and the publisher of all the data received from a Docker Trusted Registry over any channel. It allows operations with a remote DTR instance to enforce client-side signing and verification of image tags. It provides for the ability to use digital signatures for data sent to and receive from remote DTR instances. These signatures allow client-side verification of the integrity and publisher of specific image tags. Universal Control Plane can be configured to only run trusted and signed images. Additional information can be found at the following resources:

SA-10 (2) Alternative Configuration Management Processes

Description

The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.

Control Information

Responsible role(s) - Organization

SA-10 (3) Hardware Integrity Verification

Description

The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components.

Control Information

Responsible role(s) - Organization

SA-10 (4) Trusted Generation

Description

The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions and software/firmware source and object code with previous versions.

Control Information

Responsible role(s) - Organization

SA-10 (5) Mapping Integrity For Version Control

Description

The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.

Control Information

Responsible role(s) - Organization

SA-10 (6) Trusted Distribution

Description

The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.

Control Information

Responsible role(s) - Organization

SA-11 Developer Security Testing And Evaluation

Description

The organization requires the developer of the information system, system component, or information system service to:

  1. Create and implement a security assessment plan;
  2. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
  3. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
  4. Implement a verifiable flaw remediation process; and
  5. Correct flaws identified during security testing/evaluation.

Control Information

Responsible role(s) - Organization

SA-11 (1) Static Code Analysis

Description

The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

Control Information

Responsible role(s) - Organization

SA-11 (2) Threat And Vulnerability Analyses

Description

The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service.

Control Information

Responsible role(s) - Organization

SA-11 (3) Independent Verification Of Assessment Plans / Evidence

Description

The organization:

  1. Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and
  2. Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information.

Control Information

Responsible role(s) - Organization

SA-11 (4) Manual Code Reviews

Description

The organization requires the developer of the information system, system component, or information system service to perform a manual code review of [Assignment: organization-defined specific code] using [Assignment: organization-defined processes, procedures, and/or techniques].

Control Information

Responsible role(s) - Organization

SA-11 (5) Penetration Testing

Description

The organization requires the developer of the information system, system component, or information system service to perform penetration testing at [Assignment: organization-defined breadth/depth] and with [Assignment: organization-defined constraints].

Control Information

Responsible role(s) - Organization

SA-11 (6) Attack Surface Reviews

Description

The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.

Control Information

Responsible role(s) - Organization

SA-11 (7) Verify Scope Of Testing / Evaluation

Description

The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation].

Control Information

Responsible role(s) - Organization

SA-11 (8) Dynamic Code Analysis

Description

The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.

Control Information

Responsible role(s) - Organization

SA-12 Supply Chain Protection

Description

The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.

Control Information

Responsible role(s) - Organization

SA-12 (1) Acquisition Strategies / Tools / Methods

Description

The organization employs [Assignment: organization-defined tailored acquisition strategies, contract tools, and procurement methods] for the purchase of the information system, system component, or information system service from suppliers.

Control Information

Responsible role(s) - Organization

SA-12 (2) Supplier Reviews

Description

The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.

Control Information

Responsible role(s) - Organization

SA-12 (5) Limitation Of Harm

Description

The organization employs [Assignment: organization-defined security safeguards] to limit harm from potential adversaries identifying and targeting the organizational supply chain.

Control Information

Responsible role(s) - Organization

SA-12 (7) Assessments Prior To Selection / Acceptance / Update

Description

The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.

Control Information

Responsible role(s) - Organization

SA-12 (8) Use Of All-Source Intelligence

Description

The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service.

Control Information

Responsible role(s) - Organization

SA-12 (9) Operations Security

Description

The organization employs [Assignment: organization-defined Operations Security (OPSEC) safeguards] in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.

Control Information

Responsible role(s) - Organization

SA-12 (10) Validate As Genuine And Not Altered

Description

The organization employs [Assignment: organization-defined security safeguards] to validate that the information system or system component received is genuine and has not been altered.

Control Information

Responsible role(s) - Organization

SA-12 (11) Penetration Testing / Analysis Of Elements, Processes, And Actors

Description

The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the information system, system component, or information system service.

Control Information

Responsible role(s) - Organization

SA-12 (12) Inter-Organizational Agreements

Description

The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service.

Control Information

Responsible role(s) - Organization

SA-12 (13) Critical Information System Components

Description

The organization employs [Assignment: organization-defined security safeguards] to ensure an adequate supply of [Assignment: organization-defined critical information system components].

Control Information

Responsible role(s) - Organization

SA-12 (14) Identity And Traceability

Description

The organization establishes and retains unique identification of [Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service.

Control Information

Responsible role(s) - Organization

SA-12 (15) Processes To Address Weaknesses Or Deficiencies

Description

The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.

Control Information

Responsible role(s) - Organization

SA-13 Trustworthiness

Description

The organization:

  1. Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and
  2. Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness.

Control Information

Responsible role(s) - Organization

SA-14 Criticality Analysis

Description

The organization identifies critical information system components and functions by performing a criticality analysis for [Assignment: organization-defined information systems, information system components, or information system services] at [Assignment: organization-defined decision points in the system development life cycle].

Control Information

Responsible role(s) - Organization

SA-15 Development Process, Standards, And Tools

Description

The organization:

  1. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
    1. Explicitly addresses security requirements;
    2. Identifies the standards and tools used in the development process;
    3. Documents the specific tool options and tool configurations used in the development process; and
    4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
  2. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements].

Control Information

Responsible role(s) - Organization

SA-15 (1) Quality Metrics

Description

The organization requires the developer of the information system, system component, or information system service to:

  1. Define quality metrics at the beginning of the development process; and
  2. Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery].

Control Information

Responsible role(s) - Organization

SA-15 (2) Security Tracking Tools

Description

The organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process.

Control Information

Responsible role(s) - Organization

SA-15 (3) Criticality Analysis

Description

The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle].

Control Information

Responsible role(s) - Organization

SA-15 (4) Threat Modeling / Vulnerability Analysis

Description

The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:

  1. Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
  2. Employs [Assignment: organization-defined tools and methods]; and
  3. Produces evidence that meets [Assignment: organization-defined acceptance criteria].

Control Information

Responsible role(s) - Organization

SA-15 (5) Attack Surface Reduction

Description

The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to [Assignment: organization-defined thresholds].

Control Information

Responsible role(s) - Organization

SA-15 (6) Continuous Improvement

Description

The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process.

Control Information

Responsible role(s) - Organization

SA-15 (7) Automated Vulnerability Analysis

Description

The organization requires the developer of the information system, system component, or information system service to:

  1. Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
  2. Determine the exploitation potential for discovered vulnerabilities;
  3. Determine potential risk mitigations for delivered vulnerabilities; and
  4. Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].

Control Information

Responsible role(s) - Organization

SA-15 (8) Reuse Of Threat / Vulnerability Information

Description

The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.

Control Information

Responsible role(s) - Organization

SA-15 (9) Use Of Live Data

Description

The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service.

Control Information

Responsible role(s) - Organization

SA-15 (10) Incident Response Plan

Description

The organization requires the developer of the information system, system component, or information system service to provide an incident response plan.

Control Information

Responsible role(s) - Organization

SA-15 (11) Archive Information System / Component

Description

The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.

Control Information

Responsible role(s) - Organization

SA-16 Developer-Provided Training

Description

The organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

Control Information

Responsible role(s) - Organization

SA-17 Developer Security Architecture And Design

Description

The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:

  1. Is consistent with and supportive of the organization�s security architecture which is established within and is an integrated part of the organization�s enterprise architecture;
  2. Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and
  3. Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.

Control Information

Responsible role(s) - Organization

SA-17 (1) Formal Policy Model

Description

The organization requires the developer of the information system, system component, or information system service to:

  1. Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security policy] to be enforced; and
  2. Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented.

Control Information

Responsible role(s) - Organization

SA-17 (2) Security-Relevant Components

Description

The organization requires the developer of the information system, system component, or information system service to:

  1. Define security-relevant hardware, software, and firmware; and
  2. Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.

Control Information

Responsible role(s) - Organization

SA-17 (3) Formal Correspondence

Description

The organization requires the developer of the information system, system component, or information system service to:

  1. Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
  2. Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
  3. Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
  4. Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
  5. Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware.

Control Information

Responsible role(s) - Organization

SA-17 (4) Informal Correspondence

Description

The organization requires the developer of the information system, system component, or information system service to:

  1. Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
  2. Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
  3. Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
  4. Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
  5. Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware.

Control Information

Responsible role(s) - Organization

SA-17 (5) Conceptually Simple Design

Description

The organization requires the developer of the information system, system component, or information system service to:

  1. Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and
  2. Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.

Control Information

Responsible role(s) - Organization

SA-17 (6) Structure For Testing

Description

The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing.

Control Information

Responsible role(s) - Organization

SA-17 (7) Structure For Least Privilege

Description

The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.

Control Information

Responsible role(s) - Organization

SA-18 Tamper Resistance And Detection

Description

The organization implements a tamper protection program for the information system, system component, or information system service.

Control Information

Responsible role(s) - Organization

SA-18 (1) Multiple Phases Of Sdlc

Description

The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance.

Control Information

Responsible role(s) - Organization

SA-18 (2) Inspection Of Information Systems, Components, Or Devices

Description

The organization inspects [Assignment: organization-defined information systems, system components, or devices] [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering.

Control Information

Responsible role(s) - Organization

SA-19 Component Authenticity

Description

The organization:

  1. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
  2. Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].

Control Information

Responsible role(s) - Organization

SA-19 (1) Anti-Counterfeit Training

Description

The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware).

Control Information

Responsible role(s) - Organization

SA-19 (2) Configuration Control For Component Service / Repair

Description

The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service.

Control Information

Responsible role(s) - Organization

SA-19 (3) Component Disposal

Description

The organization disposes of information system components using [Assignment: organization-defined techniques and methods].

Control Information

Responsible role(s) - Organization

SA-19 (4) Anti-Counterfeit Scanning

Description

The organization scans for counterfeit information system components [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

SA-20 Customized Development Of Critical Components

Description

The organization re-implements or custom develops [Assignment: organization-defined critical information system components].

Control Information

Responsible role(s) - Organization

SA-21 Developer Screening

Description

The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]:

  1. Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and
  2. Satisfy [Assignment: organization-defined additional personnel screening criteria].

Control Information

Responsible role(s) - Organization

SA-21 (1) Validation Of Screening

Description

The organization requires the developer of the information system, system component, or information system service take [Assignment: organization-defined actions] to ensure that the required access authorizations and screening criteria are satisfied.

Control Information

Responsible role(s) - Organization

SA-22 Unsupported System Components

Description

The organization:

  1. Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and
  2. Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.

Control Information

Responsible role(s) - Organization

SA-22 (1) Alternative Sources For Continued Support

Description

The organization provides [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]] for unsupported information system components.

Control Information

Responsible role(s) - Organization

standards, compliance, security, 800-53, System and services acquisition