home || catalog: SP800-53rev3 / class: Management / family: (SA) System and Services Acquisition ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA

SA-01
SA-02
SA-03
SA-04
SA-05
SA-06
SA-07
SA-08
SA-09
SA-10 *
SA-11
SA-12
SA-13
SA-14

SC
SI
MMMMM

  SA-10: Developer Configuration Management  

base control objective:
The organization requires that information system developers/integrators:
a. Perform configuration management during information system design, development, implementation, and operation;
b. Manage and control changes to the information system;
c. Implement only organization-approved changes;
d. Document approved changes to the information system; and
e. Track security flaws and flaw resolution.

supplemental objective information:
None.

enhancements to the base objective:

(1) The organization requires that information system developers/integrators provide an integrity check of software to facilitate organizational verification of software integrity after delivery.

(2) The organization provides an alternative configuration management process with organizational personnel in the absence of dedicated developer/integrator configuration management team.
Enhancement Supplemental Guidance: The configuration management process includes key organizational personnel that are responsible for reviewing and approving proposed changes to the information system, and security personnel that conduct impact analyses prior to the implementation of any changes to the system.

mapping to FIPS199 baseline:

  LOW: null     MOD: base     HIGH: base  

related (regimented) controls:

CM-03   Configuration Change Control
CM-04   Security Impact Analysis
CM-09   Configuration Management Plan

documents referenced in SP800-53rev3 for SA-10:

None.

Document Date Status Title

Search SP800-53rev3 catalog: