System and Services Acquisition (SA)

[Withdrawn: Moved to SR-10.]


Login

System and Services Acquisition (SA)

[Withdrawn: Moved to SR-11.]


Login

System and Services Acquisition (SA)

[Withdrawn: Moved to SR-11(1).]


Login

System and Services Acquisition (SA)

[Withdrawn: Moved to SR-11(2).]


Login

System and Services Acquisition (SA)

a. Require the developer of the system, system component, or system service to follow a documented development process that: 1. Explicitly addresses security and privacy requirements; 2. Identifies the standards and tools used in the development process; 3. Documents the specific tool options and tool configurations used in the development process; and 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b. Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements].


Login

System and Services Acquisition (SA)

Require the developer of the system, system component, or system service to: (a) Define quality metrics at the beginning of the development process; and (b) Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery].


Login

System and Services Acquisition (SA)

Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process.


Login

System and Services Acquisition (SA)

Require the developer of the system, system component, or system service to perform a criticality analysis: (a) At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and (b) At the following level of rigor: [Assignment: organization-defined breadth and depth of criticality analysis].


Login

System and Services Acquisition (SA)

[Withdrawn: Moved to SR-12.]


Login

System and Services Acquisition (SA)

Require the developer of the system, system component, or system service to reduce attack surfaces to [Assignment: organization-defined thresholds].


Login