SA-10(7)—Developer Configuration Management | Security and Privacy Representatives
>Control Description
>DoD Impact Level Requirements
No specific parameter values or requirements for this impact level.
>Discussion
Information security and privacy representatives can include system security officers, senior agency information security officers, senior agency officials for privacy, and system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems.
The configuration change management and control process in this control enhancement refers to the change management and control process defined by organizations in SA-10b.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What acquisition policies and procedures address the requirements of SA-10(7)?
- •How are security and privacy requirements integrated into the acquisition process?
- •Who is responsible for ensuring that acquisitions comply with SA-10(7)?
Technical Implementation:
- •How are security requirements defined and documented in acquisition contracts?
- •What mechanisms ensure that acquired systems and services meet security requirements?
- •How do you validate that vendors and service providers comply with specified security controls?
Evidence & Documentation:
- •Can you provide examples of acquisition documentation that includes security requirements?
- •What evidence demonstrates that acquired systems meet security specifications?
- •Where is acquisition security documentation maintained throughout the system lifecycle?
Ask AI
Configure your API key to use AI features.