System and services acquisition
Estimated reading time: 29 minutesSA-1 System And Services Acquisition Policy And Procedures
Description
The organization:
- Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
- A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
- Reviews and updates the current:
- System and services acquisition policy [Assignment: organization-defined frequency]; and
- System and services acquisition procedures [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
SA-2 Allocation Of Resources
Description
The organization:
- Determines information security requirements for the information system or information system service in mission/business process planning;
- Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
- Establishes a discrete line item for information security in organizational programming and budgeting documentation.
Control Information
Responsible role(s) - Organization
SA-3 System Development Life Cycle
Description
The organization:
- Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
- Defines and documents information security roles and responsibilities throughout the system development life cycle;
- Identifies individuals having information security roles and responsibilities; and
- Integrates the organizational information security risk management process into system development life cycle activities.
Control Information
Responsible role(s) - Organization
SA-4 Acquisition Process
Description
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
- Security functional requirements;
- Security strength requirements;
- Security assurance requirements;
- Security-related documentation requirements;
- Requirements for protecting security-related documentation;
- Description of the information system development environment and environment in which the system is intended to operate; and
- Acceptance criteria.
Control Information
Responsible role(s) - Organization
SA-4 (1) Functional Properties Of Security Controls
Description
The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.
Control Information
Responsible role(s) - Organization
SA-4 (2) Design / Implementation Information For Security Controls
Description
The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail].
Control Information
Responsible role(s) - Organization
SA-4 (3) Development Methods / Techniques / Practices
Description
The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes [Assignment: organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes].
Control Information
Responsible role(s) - Organization
SA-4 (5) System / Component / Service Configurations
Description
The organization requires the developer of the information system, system component, or information system service to:
- Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and
- Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.
Control Information
Responsible role(s) - Organization
SA-4 (6) Use Of Information Assurance Products
Description
The organization:
- Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and
- Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.
Control Information
Responsible role(s) - Organization
SA-4 (7) Niap-Approved Protection Profiles
Description
The organization:
- Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and
- Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated.
Control Information
Responsible role(s) - Organization
SA-4 (8) Continuous Monitoring Plan
Description
The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail].
Control Information
Responsible role(s) - Organization
SA-4 (9) Functions / Ports / Protocols / Services In Use
Description
The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.
Control Information
Responsible role(s) - Organization
SA-4 (10) Use Of Approved Piv Products
Description
The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.
Control Information
Responsible role(s) - Organization
SA-5 Information System Documentation
Description
The organization:
- Obtains administrator documentation for the information system, system component, or information system service that describes:
- Secure configuration, installation, and operation of the system, component, or service;
- Effective use and maintenance of security functions/mechanisms; and
- Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
- Obtains user documentation for the information system, system component, or information system service that describes:
- User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
- Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
- User responsibilities in maintaining the security of the system, component, or service;
- Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response;
- Protects documentation as required, in accordance with the risk management strategy; and
- Distributes documentation to [Assignment: organization-defined personnel or roles].
Control Information
Responsible role(s) - Organization
SA-8 Security Engineering Principles
Description
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.
Control Information
Responsible role(s) - Organization
SA-9 External Information System Services
Description
The organization:
- Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
- Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
- Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.
Control Information
Responsible role(s) - Organization
SA-9 (1) Risk Assessments / Organizational Approvals
Description
The organization:
- Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
- Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
Control Information
Responsible role(s) - Organization
SA-9 (2) Identification Of Functions / Ports / Protocols / Services
Description
The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services.
Control Information
Responsible role(s) - Organization
SA-9 (3) Establish / Maintain Trust Relationship With Providers
Description
The organization establishes, documents, and maintains trust relationships with external service providers based on [Assignment: organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships].
Control Information
Responsible role(s) - Organization
SA-9 (4) Consistent Interests Of Consumers And Providers
Description
The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests.
Control Information
Responsible role(s) - Organization
SA-9 (5) Processing, Storage, And Service Location
Description
The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions].
Control Information
Responsible role(s) - Organization
SA-10 Developer Configuration Management
Description
The organization requires the developer of the information system, system component, or information system service to:
- Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
- Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
- Implement only organization-approved changes to the system, component, or service;
- Document approved changes to the system, component, or service and the potential security impacts of such changes; and
- Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
Control Information
Responsible role(s) - Organization
SA-10 (1) Software / Firmware Integrity Verification
Description
The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.
Control Information
Responsible role(s) - Docker system
| Component | Implementation Status(es) | Control Origin(s) |
|---|---|---|
| Docker Trusted Registry (DTR) | complete |
service provider hybrid |
| Docker Enterprise Edition Engine | complete |
service provider hybrid |
| Universal Control Plane (UCP) | complete |
service provider hybrid |
Implementation Details
SA-10 (2) Alternative Configuration Management Processes
Description
The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.
Control Information
Responsible role(s) - Organization
SA-10 (3) Hardware Integrity Verification
Description
The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components.
Control Information
Responsible role(s) - Organization
SA-10 (4) Trusted Generation
Description
The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions and software/firmware source and object code with previous versions.
Control Information
Responsible role(s) - Organization
SA-10 (5) Mapping Integrity For Version Control
Description
The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.
Control Information
Responsible role(s) - Organization
SA-10 (6) Trusted Distribution
Description
The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.
Control Information
Responsible role(s) - Organization
SA-11 Developer Security Testing And Evaluation
Description
The organization requires the developer of the information system, system component, or information system service to:
- Create and implement a security assessment plan;
- Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
- Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
- Implement a verifiable flaw remediation process; and
- Correct flaws identified during security testing/evaluation.
Control Information
Responsible role(s) - Organization
SA-11 (1) Static Code Analysis
Description
The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.
Control Information
Responsible role(s) - Organization
SA-11 (2) Threat And Vulnerability Analyses
Description
The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service.
Control Information
Responsible role(s) - Organization
SA-11 (3) Independent Verification Of Assessment Plans / Evidence
Description
The organization:
- Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and
- Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information.
Control Information
Responsible role(s) - Organization
SA-11 (4) Manual Code Reviews
Description
The organization requires the developer of the information system, system component, or information system service to perform a manual code review of [Assignment: organization-defined specific code] using [Assignment: organization-defined processes, procedures, and/or techniques].
Control Information
Responsible role(s) - Organization
SA-11 (5) Penetration Testing
Description
The organization requires the developer of the information system, system component, or information system service to perform penetration testing at [Assignment: organization-defined breadth/depth] and with [Assignment: organization-defined constraints].
Control Information
Responsible role(s) - Organization
SA-11 (6) Attack Surface Reviews
Description
The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.
Control Information
Responsible role(s) - Organization
SA-11 (7) Verify Scope Of Testing / Evaluation
Description
The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation].
Control Information
Responsible role(s) - Organization
SA-11 (8) Dynamic Code Analysis
Description
The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.
Control Information
Responsible role(s) - Organization
SA-12 Supply Chain Protection
Description
The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.
Control Information
Responsible role(s) - Organization
SA-12 (1) Acquisition Strategies / Tools / Methods
Description
The organization employs [Assignment: organization-defined tailored acquisition strategies, contract tools, and procurement methods] for the purchase of the information system, system component, or information system service from suppliers.
Control Information
Responsible role(s) - Organization
SA-12 (2) Supplier Reviews
Description
The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.
Control Information
Responsible role(s) - Organization
SA-12 (5) Limitation Of Harm
Description
The organization employs [Assignment: organization-defined security safeguards] to limit harm from potential adversaries identifying and targeting the organizational supply chain.
Control Information
Responsible role(s) - Organization
SA-12 (7) Assessments Prior To Selection / Acceptance / Update
Description
The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.
Control Information
Responsible role(s) - Organization
SA-12 (8) Use Of All-Source Intelligence
Description
The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service.
Control Information
Responsible role(s) - Organization
SA-12 (9) Operations Security
Description
The organization employs [Assignment: organization-defined Operations Security (OPSEC) safeguards] in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.
Control Information
Responsible role(s) - Organization
SA-12 (10) Validate As Genuine And Not Altered
Description
The organization employs [Assignment: organization-defined security safeguards] to validate that the information system or system component received is genuine and has not been altered.
Control Information
Responsible role(s) - Organization
SA-12 (11) Penetration Testing / Analysis Of Elements, Processes, And Actors
Description
The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the information system, system component, or information system service.
Control Information
Responsible role(s) - Organization
SA-12 (12) Inter-Organizational Agreements
Description
The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service.
Control Information
Responsible role(s) - Organization
SA-12 (13) Critical Information System Components
Description
The organization employs [Assignment: organization-defined security safeguards] to ensure an adequate supply of [Assignment: organization-defined critical information system components].
Control Information
Responsible role(s) - Organization
SA-12 (14) Identity And Traceability
Description
The organization establishes and retains unique identification of [Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service.
Control Information
Responsible role(s) - Organization
SA-12 (15) Processes To Address Weaknesses Or Deficiencies
Description
The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.
Control Information
Responsible role(s) - Organization
SA-13 Trustworthiness
Description
The organization:
- Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and
- Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness.
Control Information
Responsible role(s) - Organization
SA-14 Criticality Analysis
Description
The organization identifies critical information system components and functions by performing a criticality analysis for [Assignment: organization-defined information systems, information system components, or information system services] at [Assignment: organization-defined decision points in the system development life cycle].
Control Information
Responsible role(s) - Organization
SA-15 Development Process, Standards, And Tools
Description
The organization:
- Requires the developer of the information system, system component, or information system service to follow a documented development process that:
- Explicitly addresses security requirements;
- Identifies the standards and tools used in the development process;
- Documents the specific tool options and tool configurations used in the development process; and
- Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
- Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements].
Control Information
Responsible role(s) - Organization
SA-15 (1) Quality Metrics
Description
The organization requires the developer of the information system, system component, or information system service to:
- Define quality metrics at the beginning of the development process; and
- Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery].
Control Information
Responsible role(s) - Organization
SA-15 (2) Security Tracking Tools
Description
The organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process.
Control Information
Responsible role(s) - Organization
SA-15 (3) Criticality Analysis
Description
The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle].
Control Information
Responsible role(s) - Organization
SA-15 (4) Threat Modeling / Vulnerability Analysis
Description
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
- Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
- Employs [Assignment: organization-defined tools and methods]; and
- Produces evidence that meets [Assignment: organization-defined acceptance criteria].
Control Information
Responsible role(s) - Organization
SA-15 (5) Attack Surface Reduction
Description
The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to [Assignment: organization-defined thresholds].
Control Information
Responsible role(s) - Organization
SA-15 (6) Continuous Improvement
Description
The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process.
Control Information
Responsible role(s) - Organization
SA-15 (7) Automated Vulnerability Analysis
Description
The organization requires the developer of the information system, system component, or information system service to:
- Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
- Determine the exploitation potential for discovered vulnerabilities;
- Determine potential risk mitigations for delivered vulnerabilities; and
- Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].
Control Information
Responsible role(s) - Organization
SA-15 (8) Reuse Of Threat / Vulnerability Information
Description
The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.
Control Information
Responsible role(s) - Organization
SA-15 (9) Use Of Live Data
Description
The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service.
Control Information
Responsible role(s) - Organization
SA-15 (10) Incident Response Plan
Description
The organization requires the developer of the information system, system component, or information system service to provide an incident response plan.
Control Information
Responsible role(s) - Organization
SA-15 (11) Archive Information System / Component
Description
The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.
Control Information
Responsible role(s) - Organization
SA-16 Developer-Provided Training
Description
The organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms.
Control Information
Responsible role(s) - Organization
SA-17 Developer Security Architecture And Design
Description
The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:
- Is consistent with and supportive of the organization�s security architecture which is established within and is an integrated part of the organization�s enterprise architecture;
- Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and
- Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.
Control Information
Responsible role(s) - Organization
SA-17 (1) Formal Policy Model
Description
The organization requires the developer of the information system, system component, or information system service to:
- Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security policy] to be enforced; and
- Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented.
Control Information
Responsible role(s) - Organization
SA-17 (2) Security-Relevant Components
Description
The organization requires the developer of the information system, system component, or information system service to:
- Define security-relevant hardware, software, and firmware; and
- Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.
Control Information
Responsible role(s) - Organization
SA-17 (3) Formal Correspondence
Description
The organization requires the developer of the information system, system component, or information system service to:
- Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
- Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
- Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
- Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
- Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware.
Control Information
Responsible role(s) - Organization
SA-17 (4) Informal Correspondence
Description
The organization requires the developer of the information system, system component, or information system service to:
- Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
- Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
- Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
- Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
- Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware.
Control Information
Responsible role(s) - Organization
SA-17 (5) Conceptually Simple Design
Description
The organization requires the developer of the information system, system component, or information system service to:
- Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and
- Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.
Control Information
Responsible role(s) - Organization
SA-17 (6) Structure For Testing
Description
The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing.
Control Information
Responsible role(s) - Organization
SA-17 (7) Structure For Least Privilege
Description
The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.
Control Information
Responsible role(s) - Organization
SA-18 Tamper Resistance And Detection
Description
The organization implements a tamper protection program for the information system, system component, or information system service.
Control Information
Responsible role(s) - Organization
SA-18 (1) Multiple Phases Of Sdlc
Description
The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance.
Control Information
Responsible role(s) - Organization
SA-18 (2) Inspection Of Information Systems, Components, Or Devices
Description
The organization inspects [Assignment: organization-defined information systems, system components, or devices] [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering.
Control Information
Responsible role(s) - Organization
SA-19 Component Authenticity
Description
The organization:
- Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
- Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].
Control Information
Responsible role(s) - Organization
SA-19 (1) Anti-Counterfeit Training
Description
The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware).
Control Information
Responsible role(s) - Organization
SA-19 (2) Configuration Control For Component Service / Repair
Description
The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service.
Control Information
Responsible role(s) - Organization
SA-19 (3) Component Disposal
Description
The organization disposes of information system components using [Assignment: organization-defined techniques and methods].
Control Information
Responsible role(s) - Organization
SA-19 (4) Anti-Counterfeit Scanning
Description
The organization scans for counterfeit information system components [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
SA-20 Customized Development Of Critical Components
Description
The organization re-implements or custom develops [Assignment: organization-defined critical information system components].
Control Information
Responsible role(s) - Organization
SA-21 Developer Screening
Description
The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]:
- Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and
- Satisfy [Assignment: organization-defined additional personnel screening criteria].
Control Information
Responsible role(s) - Organization
SA-21 (1) Validation Of Screening
Description
The organization requires the developer of the information system, system component, or information system service take [Assignment: organization-defined actions] to ensure that the required access authorizations and screening criteria are satisfied.
Control Information
Responsible role(s) - Organization
SA-22 Unsupported System Components
Description
The organization:
- Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and
- Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.
Control Information
Responsible role(s) - Organization
SA-22 (1) Alternative Sources For Continued Support
Description
The organization provides [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]] for unsupported information system components.
Control Information
Responsible role(s) - Organization
standards, compliance, security, 800-53, System and services acquisition