>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SA-21Developer Screening

High

>Control Description

Require that the developer of organization-defined system, system component, or system service: a. Has appropriate access authorizations as determined by assigned organization-defined official government duties; and b. Satisfies the following additional personnel screening criteria: organization-defined additional personnel screening criteria.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

Developer screening is directed at external developers. Internal developer screening is addressed by PS-3. Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy.

The degree of trust required of developers may need to be consistent with that of the individuals who access the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships that the company has with entities that may potentially affect the quality and reliability of the systems, components, or services being developed.

Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements.

>Cross-Framework Mappings

SCF

TDA-13
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What acquisition policies and procedures address the requirements of SA-21?
  • How are security and privacy requirements integrated into the acquisition process?
  • Who is responsible for ensuring that acquisitions comply with SA-21?
  • How is security integrated throughout your system development lifecycle (SDLC)?

Technical Implementation:

  • How are security requirements defined and documented in acquisition contracts?
  • What mechanisms ensure that acquired systems and services meet security requirements?
  • How do you validate that vendors and service providers comply with specified security controls?
  • What security practices are required at each phase of the SDLC?
  • What secure coding practices and standards are required for developers?

Evidence & Documentation:

  • Can you provide examples of acquisition documentation that includes security requirements?
  • What evidence demonstrates that acquired systems meet security specifications?
  • Where is acquisition security documentation maintained throughout the system lifecycle?
  • Can you show evidence of security activities performed during development?
  • Can you provide code review or static analysis results?

Ask AI

Configure your API key to use AI features.