SA - System and Services Acquisition
- Controls Count: 9
- Controls IDs: SA-1, SA-2, SA-3, SA-4, SA-4 (10), SA-5, SA-8, SA-9, SA-22
Controls
SA-1: Policy and Procedures
Develop, document, and disseminate to organization-defined personnel or roles:
organization-level, mission/business process-level, and/or system-level system and services acquisition policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;
Designate an an official to manage the system and services acquisition policy and procedures is defined; to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and
Review and update the current system and services acquisition:
Policy the frequency at which the current system and services acquisition policy is reviewed and updated is defined; and following events that would require the current system and services acquisition policy to be reviewed and updated are defined; ; and
Procedures the frequency at which the current system and services acquisition procedures are reviewed and updated is defined; and following events that would require the system and services acquisition procedures to be reviewed and updated are defined;.
System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
a system and services acquisition policy is developed and documented;
the system and services acquisition policy is disseminated to personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;;
system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;
the system and services acquisition procedures are disseminated to personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;;
the organization-level, mission/business process-level, and/or system-level system and services acquisition policy addresses purpose;
the organization-level, mission/business process-level, and/or system-level system and services acquisition policy addresses scope;
the organization-level, mission/business process-level, and/or system-level system and services acquisition policy addresses roles;
the organization-level, mission/business process-level, and/or system-level system and services acquisition policy addresses responsibilities;
the organization-level, mission/business process-level, and/or system-level system and services acquisition policy addresses management commitment;
the organization-level, mission/business process-level, and/or system-level system and services acquisition policy addresses coordination among organizational entities;
the organization-level, mission/business process-level, and/or system-level system and services acquisition policy addresses compliance;
the organization-level, mission/business process-level, and/or system-level system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
the an official to manage the system and services acquisition policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;
the system and services acquisition policy is reviewed and updated the frequency at which the current system and services acquisition policy is reviewed and updated is defined;;
the current system and services acquisition policy is reviewed and updated following events that would require the current system and services acquisition policy to be reviewed and updated are defined;;
the current system and services acquisition procedures are reviewed and updated the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;;
the current system and services acquisition procedures are reviewed and updated following events that would require the system and services acquisition procedures to be reviewed and updated are defined;.
System and services acquisition policy
system and services acquisition procedures
supply chain risk management policy
supply chain risk management procedures
supply chain risk management plan
system security plan
privacy plan
other relevant documents or records
Organizational personnel with system and services acquisition responsibilities
organizational personnel with information security and privacy responsibilities
organizational personnel with supply chain risk management responsibilities
SA-2: Allocation of Resources
Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;
Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and
Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.
Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle.
the high-level information security requirements for the system or system service are determined in mission and business process planning;
the high-level privacy requirements for the system or system service are determined in mission and business process planning;
the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;
the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;
a discrete line item for information security is established in organizational programming and budgeting documentation;
a discrete line item for privacy is established in organizational programming and budgeting documentation.
System and services acquisition policy
system and services acquisition procedures
system and services acquisition strategy and plans
procedures addressing the allocation of resources to information security and privacy requirements
procedures addressing capital planning and investment control
organizational programming and budgeting documentation
system security plan
privacy plan
supply chain risk management policy
other relevant documents or records
Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities
organizational personnel with information security and privacy responsibilities
organizational personnel with supply chain risk management responsibilities
Organizational processes for determining information security and privacy requirements
organizational processes for capital planning, programming, and budgeting
mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting
SA-3: System Development Life Cycle
Acquire, develop, and manage the system using system development life cycle is defined; that incorporates information security and privacy considerations;
Define and document information security and privacy roles and responsibilities throughout the system development life cycle;
Identify individuals having information security and privacy roles and responsibilities; and
Integrate the organizational information security and privacy risk management process into system development life cycle activities.
A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.
The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle.
the system is acquired, developed, and managed using system development life cycle is defined; that incorporates information security considerations;
the system is acquired, developed, and managed using system development life cycle is defined; that incorporates privacy considerations;
information security roles and responsibilities are defined and documented throughout the system development life cycle;
privacy roles and responsibilities are defined and documented throughout the system development life cycle;
individuals with information security roles and responsibilities are identified;
individuals with privacy roles and responsibilities are identified;
organizational information security risk management processes are integrated into system development life cycle activities;
organizational privacy risk management processes are integrated into system development life cycle activities.
System and services acquisition policy
system and services acquisition procedures
procedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process
system development life cycle documentation
organizational risk management strategy
information security and privacy risk management strategy documentation
system security plan
privacy plan
privacy program plan
enterprise architecture documentation
role-based security and privacy training program documentation
data mapping documentation
other relevant documents or records
Organizational personnel with information security and privacy responsibilities
organizational personnel with system life cycle development responsibilities
organizational personnel with supply chain risk management responsibilities
Organizational processes for defining and documenting the system development life cycle
organizational processes for identifying system development life cycle roles and responsibilities
organizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle
mechanisms supporting and/or implementing the system development life cycle
SA-4: Acquisition Process
Include the following requirements, descriptions, and criteria, explicitly or by reference, using standardized contract languageand/or contract language is defined (if selected); in the acquisition contract for the system, system component, or system service:
Security and privacy functional requirements;
Strength of mechanism requirements;
Security and privacy assurance requirements;
Controls needed to satisfy the security and privacy requirements.
Security and privacy documentation requirements;
Requirements for protecting security and privacy documentation;
Description of the system development environment and environment in which the system is intended to operate;
Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and
Acceptance criteria.
Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2 . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. SP 800-160-1 describes the process of requirements engineering as part of the system development life cycle.
Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.
Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement.
security functional requirements, descriptions, and criteria are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected); in the acquisition contract for the system, system component, or system service;
privacy functional requirements, descriptions, and criteria are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected); in the acquisition contract for the system, system component, or system service;
strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected); in the acquisition contract for the system, system component, or system service;
security assurance requirements, descriptions, and criteria are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected); in the acquisition contract for the system, system component, or system service;
privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected); in the acquisition contract for the system, system component, or system service;
controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected); in the acquisition contract for the system, system component, or system service;
controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected); in the acquisition contract for the system, system component, or system service;
security documentation requirements, descriptions, and criteria are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected); in the acquisition contract for the system, system component, or system service;
privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected); in the acquisition contract for the system, system component, or system service;
requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected); in the acquisition contract for the system, system component, or system service;
requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected); in the acquisition contract for the system, system component, or system service;
the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected); in the acquisition contract for the system, system component, or system service;
the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected); in the acquisition contract for the system, system component, or system service;
the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected);;
the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected);;
acceptance criteria requirements and descriptions are included explicitly or by reference using standardized contract languageand/or contract language is defined (if selected); in the acquisition contract for the system, system component, or system service.
System and services acquisition policy
system and services acquisition procedures
procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process
configuration management plan
acquisition contracts for the system, system component, or system service
system design documentation
system security plan
supply chain risk management plan
privacy plan
other relevant documents or records
Organizational personnel with acquisition/contracting responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
organizational personnel with supply chain risk management responsibilities
Organizational processes for determining system security and privacy functional, strength, and assurance requirements
organizational processes for developing acquisition contracts
mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts
SA-4 (10): Use of Approved PIV Products
Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.
Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations.
only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.
Supply chain risk management plan
system and services acquisition policy
procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process
solicitation documentation
acquisition documentation
acquisition contracts for the system, system component, or system service
service level agreements
FIPS 201 approved products list
system security plan
other relevant documents or records
Organizational personnel with acquisition/contracting responsibilities
organizational personnel with the responsibility for determining system security requirements
organizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented
organizational personnel with information security responsibilities
Organizational processes for selecting and employing FIPS 201-approved products
SA-5: System Documentation
Obtain or develop administrator documentation for the system, system component, or system service that describes:
Secure configuration, installation, and operation of the system, component, or service;
Effective use and maintenance of security and privacy functions and mechanisms; and
Known vulnerabilities regarding configuration and use of administrative or privileged functions;
Obtain or develop user documentation for the system, system component, or system service that describes:
User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;
Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and
User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;
Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined; in response; and
Distribute documentation to personnel or roles to distribute system documentation to is/are defined;.
System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.
administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;
administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;
administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;
administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;
administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;
administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;
administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;
administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;
administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;
user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;
user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;
user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;
user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;
user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;
user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;
user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;
user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;
attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;
after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined; are taken in response;
documentation is distributed to personnel or roles to distribute system documentation to is/are defined;.
System and services acquisition policy
system and services acquisition procedures
procedures addressing system documentation
system documentation, including administrator and user guides
system design documentation
records documenting attempts to obtain unavailable or nonexistent system documentation
list of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation
risk management strategy documentation
system security plan
privacy plan
privacy impact assessment
privacy risk assessment documentation
other relevant documents or records
Organizational personnel with acquisition/contracting responsibilities
organizational personnel with information security and privacy responsibilities
system administrators
organizational personnel responsible for operating, using, and/or maintaining the system
system developers
Organizational processes for obtaining, protecting, and distributing system administrator and user documentation
SA-8: Security and Privacy Engineering Principles
Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: organization-defined systems security and privacy engineering principles.
Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3 ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.
The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.
Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design.
systems security engineering principles are defined; are applied in the specification of the system and system components;
systems security engineering principles are defined; are applied in the design of the system and system components;
systems security engineering principles are defined; are applied in the development of the system and system components;
systems security engineering principles are defined; are applied in the implementation of the system and system components;
systems security engineering principles are defined; are applied in the modification of the system and system components;
privacy engineering principles are defined; are applied in the specification of the system and system components;
privacy engineering principles are defined; are applied in the design of the system and system components;
privacy engineering principles are defined; are applied in the development of the system and system components;
privacy engineering principles are defined; are applied in the implementation of the system and system components;
privacy engineering principles are defined; are applied in the modification of the system and system components.
System and services acquisition policy
system and services acquisition procedures
assessment and authorization procedures
procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system
system design documentation
security and privacy requirements and specifications for the system
system security plan
privacy plan
privacy impact assessment
privacy risk assessment documentation
other relevant documents or records
Organizational personnel with acquisition/contracting responsibilities
organizational personnel with information security and privacy responsibilities
organizational personnel with system specification, design, development, implementation, and modification responsibilities
system developers
Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification
mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification
SA-9: External System Services
Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: controls to be employed by external system service providers are defined;;
Define and document organizational oversight and user roles and responsibilities with regard to external system services; and
Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: processes, methods, and techniques employed to monitor control compliance by external service providers are defined;.
External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.
providers of external system services comply with organizational security requirements;
providers of external system services comply with organizational privacy requirements;
providers of external system services employ controls to be employed by external system service providers are defined;;
organizational oversight with regard to external system services are defined and documented;
user roles and responsibilities with regard to external system services are defined and documented;
processes, methods, and techniques employed to monitor control compliance by external service providers are defined; are employed to monitor control compliance by external service providers on an ongoing basis.
System and services acquisition policy
system and services acquisition procedures
procedures addressing methods and techniques for monitoring control compliance by external service providers of system services
acquisition documentation
contracts
service level agreements
interagency agreements
licensing agreements
list of organizational security and privacy requirements for external provider services
control assessment results or reports from external providers of system services
system security plan
privacy plan
supply chain risk management plan
other relevant documents or records
Organizational personnel with acquisition responsibilities
external providers of system services
organizational personnel with information security and privacy responsibilities
organizational personnel with supply chain risk management responsibilities
Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis
mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis
SA-22: Unsupported System Components
Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or
Provide the following options for alternative sources for continued support for unsupported components in-house supportand/or support from external providers is defined (if selected);.
Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.
Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation.
system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;
in-house supportand/or support from external providers is defined (if selected); provide options for alternative sources for continued support for unsupported components.
System and services acquisition policy
procedures addressing the replacement or continued use of unsupported system components
documented evidence of replacing unsupported system components
documented approvals (including justification) for the continued use of unsupported system components
system security plan
supply chain risk management plan
other relevant documents or records
Organizational personnel with system and service acquisition responsibilities
organizational personnel with information security responsibilities
organizational personnel with the responsibility for the system development life cycle
organizational personnel responsible for component replacement
Organizational processes for replacing unsupported system components
mechanisms supporting and/or implementing the replacement of unsupported system components