SA - System and Services Acquisition

  • Controls Count: 4
  • Controls IDs: SA-4 (5), SA-16, SA-17, SA-21

Controls

SA-4 (5): System, Component, and Service Configurations

Require the developer of the system, system component, or system service to:

Deliver the system, component, or service with security configurations for the system, component, or service are defined; implemented; and

Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed.

the developer of the system, system component, or system service is required to deliver the system, component, or service with security configurations for the system, component, or service are defined; implemented;

the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade.

System and services acquisition policy

procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process

solicitation documents

acquisition documentation

acquisition contracts for the system, system component, or system service

security configurations to be implemented by the developer of the system, system component, or system service

service level agreements

system security plan

other relevant documents or records

Organizational personnel with acquisition/contracting responsibilities

organizational personnel with the responsibility to determine system security requirements

system developers or service provider

organizational personnel with information security responsibilities

Mechanisms used to verify that the configuration of the system, component, or service is delivered as specified

SA-16: Developer-provided Training

Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms provided by the developer of the system, system component, or system service is defined;.

Developer-provided training applies to external and internal (in-house) developers. Training personnel is essential to ensuring the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms.

the developer of the system, system component, or system service is required to provide training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms provided by the developer of the system, system component, or system service is defined; on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms.

System and services acquisition policy

system and services acquisition procedures

procedures addressing developer-provided training

solicitation documentation

acquisition documentation

service level agreements

acquisition contracts for the system, system component, or system service

organizational security and privacy training policy

developer-provided training materials

training records

system security plan

privacy plan

privacy impact assessment

privacy risk assessment documentation

other relevant documents or records

Organizational personnel with system and service acquisition responsibilities

organizational personnel with information security and privacy responsibilities

system developer

external or internal (in-house) developers with training responsibilities for the system, system component, or information system service

SA-17: Developer Security and Privacy Architecture and Design

Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:

Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture;

Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and

Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection.

Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, PL-8 is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and PL-8 is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. ISO 15408-2, ISO 15408-3 , and SP 800-160-1 provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing.

the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;

the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;

the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;

the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;

the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;

the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.

System and services acquisition policy

system and services acquisition procedures

enterprise architecture policy

enterprise architecture documentation

procedures addressing developer security and privacy architecture and design specifications for the system

solicitation documentation

acquisition documentation

service level agreements

acquisition contracts for the system, system component, or system service

system design documentation

information system configuration settings and associated documentation

system security plan

privacy plan

other relevant documents or records

Organizational personnel with acquisition responsibilities

organizational personnel with information security and privacy responsibilities

system developer

SA-21: Developer Screening

Require that the developer of the system, systems component, or system service that the developer has access to is/are defined;:

Has appropriate access authorizations as determined by assigned official government duties assigned to the developer are defined; ; and

Satisfies the following additional personnel screening criteria: additional personnel screening criteria for the developer are defined;.

Developer screening is directed at external developers. Internal developer screening is addressed by PS-3 . Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals who access the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships that the company has with entities that may potentially affect the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements.

the developer of the system, systems component, or system service that the developer has access to is/are defined; is required to have appropriate access authorizations as determined by assigned official government duties assigned to the developer are defined;;

the developer of the system, systems component, or system service that the developer has access to is/are defined; is required to satisfy additional personnel screening criteria for the developer are defined;.

System and services acquisition policy

personnel security policy and procedures

procedures addressing personnel screening

system design documentation

acquisition documentation

service level agreements

acquisition contracts for developer services

system configuration settings and associated documentation

list of appropriate access authorizations required by the developers of the system

personnel screening criteria and associated documentation

system security plan

supply chain risk management plan

other relevant documents or records

Organizational personnel with system and service acquisition responsibilities

organizational personnel with information security responsibilities

organizational personnel responsible for developer screening

Organizational processes for developer screening

mechanisms supporting developer screening