home || catalog: SP800-53rev3 / class: Management / family: (SA) System and Services Acquisition ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA

SA-01
SA-02
SA-03
SA-04
SA-05
SA-06
SA-07
SA-08
SA-09
SA-10
SA-11
SA-12
SA-13
SA-14 *

SC
SI
MMMMM

  SA-14: Critical Information System Components  

base control objective:
The organization:
a. Determines [Assignment: organization-defined list of critical information system components that require reimplementation]; and
b. Re-implements or custom develops such information system components.

supplemental objective information:
The underlying assumption is that the list of information technology products defined by the organization cannot be trusted due to threats from the supply chain that the organization finds unacceptable. The organization re-implements or custom develops such components to satisfy requirements for high assurance.

enhancements to the base objective:

(1) The organization:
(a) Identifies information system components for which alternative sourcing is not viable; and
(b) Employs [Assignment: organization-defined measures] to ensure that critical security controls for the information system components are not compromised.
Enhancement Supplemental Guidance: Measures that the organization considers implementing include, for example, enhanced auditing, restrictions on source code and system utility access, and protection from deletion of system and application files.

mapping to FIPS199 baseline:

  LOW: null     MOD: null     HIGH: null  

related (regimented) controls:

SA-12   Supply Chain Protection
SA-13   Trustworthiness

documents referenced in SP800-53rev3 for SA-14:

None.

Document Date Status Title

Search SP800-53rev3 catalog: