home || catalog: SP800-53rev3 / class: Management / family: (SA) System and Services Acquisition ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA

SA-01
SA-02
SA-03
SA-04 *
SA-05
SA-06
SA-07
SA-08
SA-09
SA-10
SA-11
SA-12
SA-13
SA-14

SC
SI
MMMMM

  SA-04: Acquisitions  

base control objective:
The organization includes the following requirements and/or specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards:
a. Security functional requirements/specifications;
b. Security-related documentation requirements; and
c. Developmental and evaluation-related assurance requirements.

supplemental objective information:
The acquisition documents for information systems, information system components, and information system services include, either explicitly or by reference, security requirements that describe: (i) required security capabilities (i.e., security needs and, as necessary, specific security controls and other specific FISMA requirements); (ii) required design and development processes; (iii) required test and evaluation procedures; and (iv) required documentation. The requirements in the acquisition documents permit updating security controls as new threats/vulnerabilities are identified and as new technologies are implemented. Acquisition documents also include requirements for appropriate information system documentation. The documentation addresses user and system administrator guidance and information regarding the implementation of the security controls in the information system. The level of detail required in the documentation is based on the security categorization for the information system. In addition, the required documentation includes security configuration settings and security implementation guidance. FISMA reporting instructions provide guidance on configuration requirements for federal information systems.

enhancements to the base objective:

(1) The organization requires in acquisition documents that vendors/contractors provide information describing the functional properties of the security controls to be employed within the information system, information system components, or information system services in sufficient detail to permit analysis and testing of the controls.

(2) The organization requires in acquisition documents that vendors/contractors provide information describing the design and implementation details of the security controls to be employed within the information system, information system components, or information system services (including functional interfaces among control components) in sufficient detail to permit analysis and testing of the controls.

(3) The organization limits the acquisition of commercial information technology products with security capabilities to products which have been evaluated and validated through one of the following sources:.
(a) International Common Criteria for Information Technology Security Evaluation Mutual Recognition Arrangement;
(b) National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme; or
(c) NIST Cryptographic Module Validation Program.
Enhancement Supplemental Guidance: Robustness requirements (i.e., strength of security mechanisms and associated assurances with respect to the mechanisms), organizational missions and business processes, and overall customer needs together, enable an experienced information systems security engineer to recommend the use of a particular evaluated and/or validated information technology product or, for a product being submitted for evaluation, a specific Common Criteria evaluation assurance level (EAL).

(4) The organization requires software vendors/manufacturers to demonstrate that their software development processes employ state-of-the-practice software and security engineering methods, quality control processes, and validation techniques to minimize flawed or malformed software.

(5) The organization ensures that each information system component acquired is explicitly assigned to an information system and that the owner of the system acknowledges this assignment.

(6) The organization limits the acquisition of information assurance (IA) and IA-enabled government off-the-shelf (GOTS) information technology products to those products that have been evaluated by the National Security Agency (NSA) or in accordance with NSA-approved processes.

(7) The organization ensures that, at a minimum, basic robustness commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products are used to protect publicly-released information from malicious tampering or destruction and ensure its availability.
Enhancement Supplemental Guidance: Basic robustness requirements for COTS information technology products are defined in Protection Profile Consistency Guidance published under the Information Assurance Technical Framework.

(8) The organization ensures that, at a minimum, medium robustness commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products are used to protect Controlled Unclassified Information (CUI) when the information transits public networks or the information is accessible by individuals who are not authorized to access all the information on the information system.
Enhancement Supplemental Guidance: Medium robustness requirements for COTS information technology products are defined in Protection Profile Consistency Guidance published by the National Security Agency (NSA) under the Information Assurance Technical Framework. COTS IA or IA-enabled information technology products used to protect national security information by cryptographic means, may be required to use NSA-approved key management.

(9) The organization:
(a) Employs only high robustness government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products to protect classified, national security information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and
(b) Ensures that high robustness information technology products have been evaluated and/or validated by the National Security Agency (NSA) or in accordance with NSA-approved procedures.
Enhancement Supplemental Guidance: COTS IA or IA-enabled information technology products used to protect national security information by cryptographic means, may be required to use NSA-approved key management.

(10) The organization requires in acquisition documents, that information system components are delivered in a secure, documented configuration, and that the secure configuration is the default configuration for any software reinstalls or upgrades.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1) (4)     HIGH: base (1) (2) (4)  

related (regimented) controls:

None.

documents referenced in SP800-53rev3 for SA-04:

Document Date Status Title
NIST SP800-23 August, 2000 current   Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
NIST SP800-35 October, 2003 current   Guide to Information Technology Security Services
NIST SP800-36 October, 2003 current   Guide to Selecting Information Technology Security Products
NIST SP800-64 October, 2008 current   Security Considerations in the Information System Development Life Cycle
NIST SP800-70 September, 2009 current   Security Configuration Checklists Program for IT Products - Guidance for Checklists Users and Developers
NIST SP800-94 August, 2006 DRAFT   Guide to Intrusion Detection and Prevention Systems (IDPS)

Search SP800-53rev3 catalog: