Under active development — Content is continuously updated and improved

Home / Frameworks / NIST SP 800-53 / SA — System and Services Acquisition

SA — System and Services Acquisition

147 controls in the System and Services Acquisition family

SA-1Policy And Procedures

SA-2Allocation Of Resources

SA-3System Development Life Cycle

SA-3(1)Manage Preproduction Environment

SA-3(2)Use Of Live Or Operational Data

SA-3(3)Technology Refresh

SA-4Acquisition Process

SA-4(1)Functional Properties Of Controls

SA-4(2)Design And Implementation Information For Controls

SA-4(3)Development Methods, Techniques, And Practices

SA-4(4)Assignment Of Components To Systems

SA-4(5)System, Component, And Service Configurations

SA-4(6)Use Of Information Assurance Products

SA-4(7)Niap-Approved Protection Profiles

SA-4(8)Continuous Monitoring Plan For Controls

SA-4(9)Functions, Ports, Protocols, And Services In Use

SA-4(10)Use Of Approved Piv Products

SA-4(11)System Of Records

SA-4(12)Data Ownership

SA-5System Documentation

SA-5(1)Functional Properties Of Security Controls

SA-5(2)Security-Relevant External System Interfaces

SA-5(3)High-Level Design

SA-5(4)Low-Level Design

SA-5(5)Source Code

SA-6Software Usage Restrictions

SA-7User-Installed Software

SA-8Security And Privacy Engineering Principles

SA-8(1)Clear Abstractions

SA-8(2)Least Common Mechanism

SA-8(3)Modularity And Layering

SA-8(4)Partially Ordered Dependencies

SA-8(5)Efficiently Mediated Access

SA-8(6)Minimized Sharing

SA-8(7)Reduced Complexity

SA-8(8)Secure Evolvability

SA-8(9)Trusted Components

SA-8(10)Hierarchical Trust

SA-8(11)Inverse Modification Threshold

SA-8(12)Hierarchical Protection

SA-8(13)Minimized Security Elements

SA-8(14)Least Privilege

SA-8(15)Predicate Permission

SA-8(16)Self-Reliant Trustworthiness

SA-8(17)Secure Distributed Composition

SA-8(18)Trusted Communications Channels

SA-8(19)Continuous Protection

SA-8(20)Secure Metadata Management

SA-8(21)Self-Analysis

SA-8(22)Accountability And Traceability

SA-8(23)Secure Defaults

SA-8(24)Secure Failure And Recovery

SA-8(25)Economic Security

SA-8(26)Performance Security

SA-8(27)Human Factored Security

SA-8(28)Acceptable Security

SA-8(29)Repeatable And Documented Procedures

SA-8(30)Procedural Rigor

SA-8(31)Secure System Modification

SA-8(32)Sufficient Documentation

SA-8(33)Minimization

SA-9External System Services

SA-9(1)Risk Assessments And Organizational Approvals

SA-9(2)Identification Of Functions, Ports, Protocols, And Services

SA-9(3)Establish And Maintain Trust Relationship With Providers

SA-9(4)Consistent Interests Of Consumers And Providers

SA-9(5)Processing, Storage, And Service Location

SA-9(6)Organization-Controlled Cryptographic Keys

SA-9(7)Organization-Controlled Integrity Checking

SA-9(8)Processing And Storage Location -- U.S. Jurisdiction

SA-10Developer Configuration Management

SA-10(1)Software And Firmware Integrity Verification

SA-10(2)Alternative Configuration Management Processes

SA-10(3)Hardware Integrity Verification

SA-10(4)Trusted Generation

SA-10(5)Mapping Integrity For Version Control

SA-10(6)Trusted Distribution

SA-10(7)Security And Privacy Representatives

SA-11Developer Testing And Evaluation

SA-11(1)Static Code Analysis

SA-11(2)Threat Modeling And Vulnerability Analyses

SA-11(3)Independent Verification Of Assessment Plans And Evidence

SA-11(4)Manual Code Reviews

SA-11(5)Penetration Testing

SA-11(6)Attack Surface Reviews

SA-11(7)Verify Scope Of Testing And Evaluation

SA-11(8)Dynamic Code Analysis

SA-11(9)Interactive Application Security Testing

SA-12Supply Chain Protection

SA-12(1)Acquisition Strategies / Tools / Methods

SA-12(2)Supplier Reviews

SA-12(3)Trusted Shipping And Warehousing

SA-12(4)Diversity Of Suppliers

SA-12(5)Limitation Of Harm

SA-12(6)Minimizing Procurement Time

SA-12(7)Assessments Prior To Selection / Acceptance / Update

SA-12(8)Use Of All-Source Intelligence

SA-12(9)Operations Security

SA-12(10)Validate As Genuine And Not Altered

SA-12(11)Penetration Testing / Analysis Of Elements, Processes, And Actors

SA-12(12)Inter-Organizational Agreements

SA-12(13)Critical Information System Components

SA-12(14)Identity And Traceability

SA-12(15)Processes To Address Weaknesses Or Deficiencies

SA-13Trustworthiness

SA-14Criticality Analysis

SA-14(1)Critical Components With No Viable Alternative Sourcing

SA-15Development Process, Standards, And Tools

SA-15(1)Quality Metrics

SA-15(2)Security And Privacy Tracking Tools

SA-15(3)Criticality Analysis

SA-15(4)Threat Modeling And Vulnerability Analysis

SA-15(5)Attack Surface Reduction

SA-15(6)Continuous Improvement

SA-15(7)Automated Vulnerability Analysis

SA-15(8)Reuse Of Threat And Vulnerability Information

SA-15(9)Use Of Live Data

SA-15(10)Incident Response Plan

SA-15(11)Archive System Or Component

SA-15(12)Minimize Personally Identifiable Information

SA-15(13)Logging Syntax

SA-16Developer-Provided Training

SA-17Developer Security And Privacy Architecture And Design

SA-17(1)Formal Policy Model

SA-17(2)Security-Relevant Components

SA-17(3)Formal Correspondence

SA-17(4)Informal Correspondence

SA-17(5)Conceptually Simple Design

SA-17(6)Structure For Testing

SA-17(7)Structure For Least Privilege

SA-17(8)Orchestration

SA-17(9)Design Diversity

SA-18Tamper Resistance And Detection

SA-18(1)Multiple Phases Of System Development Life Cycle

SA-18(2)Inspection Of Systems Or Components

SA-19Component Authenticity

SA-19(1)Anti-Counterfeit Training

SA-19(2)Configuration Control For Component Service And Repair

SA-19(3)Component Disposal

SA-19(4)Anti-Counterfeit Scanning

SA-20Customized Development Of Critical Components

SA-21Developer Screening

SA-21(1)Validation Of Screening

SA-22Unsupported System Components

SA-22(1)Alternative Sources For Continued Support

SA-23Specialization

SA-24Design For Cyber Resiliency

← Back to all controls