SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES
Control
The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and services acquisition policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.
Supplemental Guidance
The system and services acquisition policy and procedures are consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. The system and services acquisition policy can be included as part of the general information security policy for the organization. System and services acquisition procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures.
Control Enhancements
None.
LOW
SA-1
MOD
SA-1
HIGH
SA-1
SA-2 ALLOCATION OF RESOURCES
Control
The organization determines, documents, and allocates as part of its capital planning and investment control process the resources required to adequately protect the information system.
Supplemental Guidance
The organization includes the determination of security requirements for the information system in mission/business case planning and establishes a discrete line item for information system security in the organization’s programming and budgeting documentation. NIST Special Publication 800-65 provides guidance on integrating security into the capital planning and investment control process.
Control Enhancements
None.
LOW
SA-2
MOD
SA-2
HIGH
SA-2
SA-3 LIFE CYCLE SUPPORT
Control
The organization manages the information system using a system development life cycle methodology that includes information security considerations.
Supplemental Guidance
NIST Special Publication 800-64 provides guidance on security considerations in the system development life cycle.
Control Enhancements
None.
LOW
SA-3
MOD
SA-3
HIGH
SA-4 ACQUISITIONS
Control
The organization includes security requirements and/or security specifications, either explicitly or by reference, in information system acquisition contracts based on an assessment of risk.
Supplemental Guidance
Solicitation Documents - The solicitation documents (e.g., Requests for Proposals) for information systems and services include, either explicitly or by reference, security requirements that describe: (i) required security capabilities; (ii) required design and development processes; (iii) required test and evaluation procedures; and (iv) required documentation. The requirements in the solicitation documents permit updating security controls as new threats/vulnerabilities are identified and as new technologies are implemented. NIST Special Publication 800-53 provides guidance on recommended security controls for federal information systems to meet minimum security requirements for information systems categorized in accordance with FIPS 199. NIST Special Publication 800-36 provides guidance on the selection of information security products. NIST Special Publication 800-35 provides guidance on information technology security services. NIST Special Publication 800-64 provides guidance on security considerations in the system development life cycle.
Use of Tested, Evaluated, and Validated Products - NIST Special Publication 800-23 provides guidance on the acquisition and use of tested/evaluated information technology products.
Configuration Settings and Implementation Guidance - The information system required documentation includes security configuration settings and security implementation guidance. NIST Special Publication 800-70 provides guidance on configuration settings for information technology products.
Control Enhancements
None.
LOW
SA-4
MOD
SA-4
HIGH
SA-5 INFORMATION SYSTEM DOCUMENTATION
Control
The organization ensures that adequate documentation for the information system and its constituent components is available, protected when required, and distributed to authorized personnel.
Supplemental Guidance
Administrator and user guides include information on: (i) configuring, installing, and operating the information system; and (ii) optimizing the system’s security features. NIST Special Publication 800-70 provides guidance on configuration settings for information technology products.
Control Enhancements
(1) The organization includes documentation describing the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls.
(2) The organization includes documentation describing the design and implementation details of the security controls employed within the information system with sufficient detail to permit analysis and testing of the controls (including functional interfaces among control components).
LOW
SA-5
MOD
SA-5 (1)
HIGH
SA-5 (1) (2)
SA-6 SOFTWARE USAGE RESTRICTIONS
Control
The organization complies with software usage restrictions.
Supplemental Guidance
Software and associated documentation are used in accordance with contract agreements and copyright laws. For software and associated documentation protected by quantity licenses, the organization employs tracking systems to control copying and distribution. The organization controls and documents the use of publicly accessible peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Control Enhancements
None.
LOW
SA-6
MOD
SA-6
HIGH
SA-6
SA-7 USER INSTALLED SOFTWARE
Control
The organization enforces explicit rules governing the downloading and installation of software by users.
Supplemental Guidance
If provided the necessary privileges, users have the ability to download and install software. The organization identifies what types of software downloads and installations are permitted (e.g., updates and security patches to existing software) and what types of downloads and installations are prohibited (e.g., software that is free only for personal, not government, use). The organization also restricts the use of install-on-demand software.
Control Enhancements
None.
LOW
SA-7
MOD
SA-7
HIGH
SA-8 SECURITY DESIGN PRINCIPLES
Control
The organization designs and implements the information system using security engineering principles.
Supplemental Guidance
NIST Special Publication 800-27 provides guidance on engineering principles for information system security.
Control Enhancements
None.
LOW
Not Selected
MOD
SA-8
HIGH
SA-8
SA-9 OUTSOURCED INFORMATION SYSTEM SERVICES
Control
The organization ensures that third-party providers of information system services employ adequate security controls in accordance with applicable federal laws, directives, policies, regulations, standards, guidance, and established service level agreements. The organization monitors security control compliance.
Supplemental Guidance
Third-party providers are subject to the same information system security policies and procedures of the supported organization, and must conform to the same security control and documentation requirements as would apply to the organization’s internal systems. Appropriate organizational officials approve outsourcing of information system services to third-party providers (e.g., service bureaus, contractors, and other external organizations). The outsourced information system services documentation includes government, service provider, and end user security roles and responsibilities, and any service level agreements. Service level agreements define the expectations of performance for each required security control, describe measurable outcomes, and identify remedies and response requirements for any identified instance of non-compliance. NIST Special Publication 800-35 provides guidance on information technology security services. NIST Special Publication 800-64 provides guidance on the security considerations in the system development life cycle.
Control Enhancements
None.
LOW
SA-9
MOD
SA-9
HIGH
SA-9
SA-10 DEVELOPER CONFIGURATION MANAGEMENT
Control
The information system developer creates and implements a configuration management plan that controls changes to the system during development, tracks security flaws, requires authorization of changes, and provides documentation of the plan and its implementation.
Supplemental Guidance
None.
Control Enhancements
None.
LOW
Not Selected
MOD
Not Selected
HIGH
SA-11 DEVELOPER SECURITY TESTING
Control
The information system developer creates a security test and evaluation plan, implements the plan, and documents the results. Developmental security test results may be used in support of the security certification and accreditation process for the delivered information system.
Supplemental Guidance
Developmental security test results should only be used when no security relevant modifications of the information system have been made subsequent to developer testing and after selective verification of developer test results.
Control Enhancements
None.
LOW
Not Selected
MOD
SA-11
HIGH
SA-11
PEOPLE FIND THIS PAGE BY THIS WORDS:
SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES; management controls systems and service acquisition; sa-2 allocation of resources; system and services acquisition; system and services acquisition policy;
