System and Services Acquisition (SA)¶

• a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
  • 1. [Selection: one or more of: organization-level; mission/business process-level; system-level] system and services acquisition policy that:
    • (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    • (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • 2. Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;
• b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and
• c. Review and update the current system and services acquisition:
  • 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  • 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;
• b. Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and
• c. Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Acquire, develop, and manage the system using [Assignment: organization-defined system-development life cycle] that incorporates information security and privacy considerations;
• b. Define and document information security and privacy roles and responsibilities throughout the system development life cycle;
• c. Identify individuals having information security and privacy roles and responsibilities; and
• d. Integrate the organizational information security and privacy risk management process into system development life cycle activities.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and
• (b) Protect preproduction environments for the system, system component, or system service at the same impact or classification level as any live data in use within the preproduction environments.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Plan for and implement a technology refresh schedule for the system throughout the system development life cycle.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection: one or more of: standardized contract language] in the acquisition contract for the system, system component, or system service:

• a. Security and privacy functional requirements;
• b. Strength of mechanism requirements;
• c. Security and privacy assurance requirements;
• d. Controls needed to satisfy the security and privacy requirements.
• e. Security and privacy documentation requirements;
• f. Requirements for protecting security and privacy documentation;
• g. Description of the system development environment and environment in which the system is intended to operate;
• h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and
• i. Acceptance criteria.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: [Selection: one or more of: security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics] at [Assignment: organization-defined level of detail].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes:

• (a) [Assignment: organization-defined systems engineering methods];
• (b) [Assignment: sa-04.03_odp.02]; and
• (c) [Assignment: sa-04.03_odp.05].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to:

• (a) Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and
• (b) Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and
• (b) Ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and
• (b) Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Include [Assignment: organization-defined Privacy Act requirements] in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Include organizational data ownership requirements in the acquisition contract; and
• (b) Require all data to be removed from the contractor’s system and returned to the organization within [Assignment: organization-defined time frame].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Obtain or develop administrator documentation for the system, system component, or system service that describes:
  • 1. Secure configuration, installation, and operation of the system, component, or service;
  • 2. Effective use and maintenance of security and privacy functions and mechanisms; and
  • 3. Known vulnerabilities regarding configuration and use of administrative or privileged functions;
• b. Obtain or develop user documentation for the system, system component, or system service that describes:
  • 1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;
  • 2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and
  • 3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;
• c. Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [Assignment: organization-defined actions] in response; and
• d. Distribute documentation to [Assignment: organization-defined personnel or roles].

External Link for Additional Information: myctrl.tools

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [Assignment: organization-defined systems security and privacy engineering principles].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of clear abstractions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of least common mechanism in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principles of modularity and layering in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of partially ordered dependencies in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of efficiently mediated access in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of minimized sharing in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of reduced complexity in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of secure evolvability in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of trusted components in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of hierarchical trust in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of inverse modification threshold in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of hierarchical protection in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of minimized security elements in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of least privilege in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of predicate permission in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of self-reliant trustworthiness in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of secure distributed composition in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of trusted communications channels in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of continuous protection in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of secure metadata management in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of self-analysis in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of accountability and traceability in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of secure defaults in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of secure failure and recovery in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of economic security in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of performance security in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of human factored security in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of acceptable security in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of repeatable and documented procedures in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of procedural rigor in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of secure system modification in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the security design principle of sufficient documentation in [Assignment: organization-defined systems or system components].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the privacy principle of minimization using [Assignment: organization-defined processes].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls];
• b. Define and document organizational oversight and user roles and responsibilities with regard to external system services; and
• c. Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [Assignment: organization-defined processes, methods, and techniques].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and
• (b) Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services].

External Link for Additional Information: myctrl.tools

Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: [Assignment: organization-defined security and privacy requirements, properties, factors, or conditions defining acceptable trust relationships].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Take the following actions to verify that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests: [Assignment: organization-defined actions].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Restrict the location of [Selection: one or more of: information processing; information or data; system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements].

External Link for Additional Information: myctrl.tools

Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide the capability to check the integrity of information while it resides in the external system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to:

• a. Perform configuration management during system, component, or service [Selection: one or more of: design; development; implementation; operation; disposal];
• b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items];
• c. Implement only organization-approved changes to the system, component, or service;
• d. Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and
• e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to enable integrity verification of hardware components.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions, source code, and object code with previous versions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require [Assignment: organization-defined security and privacy representatives] to be included in the [Assignment: organization-defined configuration change management and control process].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:

• a. Develop and implement a plan for ongoing security and privacy control assessments;
• b. Perform [Selection: one or more of: unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency to conduct] at [Assignment: organization-defined depth and coverage];
• c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;
• d. Implement a verifiable flaw remediation process; and
• e. Correct flaws identified during testing and evaluation.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:

• (a) Uses the following contextual information: [Assignment: organization-defined information];
• (b) Employs the following tools and methods: [Assignment: organization-defined tools and methods];
• (c) Conducts the modeling and analyses at the following level of rigor: [Assignment: organization-defined breadth and depth of modeling and analyses]; and
• (d) Produces evidence that meets the following acceptance criteria: [Assignment: organization-defined acceptance criteria].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Require an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and
• (b) Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to perform a manual code review of [Assignment: organization-defined specific code] using the following processes, procedures, and/or techniques: [Assignment: organization-defined processes, procedures, and/or techniques].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to perform penetration testing:

• (a) At the following level of rigor: [Assignment: organization-defined breadth and depth of testing]; and
• (b) Under the following constraints: [Assignment: organization-defined constraints].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to perform attack surface reviews.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: [Assignment: organization-defined breadth and depth of testing and evaluation].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Require the developer of the system, system component, or system service to follow a documented development process that:
  • 1. Explicitly addresses security and privacy requirements;
  • 2. Identifies the standards and tools used in the development process;
  • 3. Documents the specific tool options and tool configurations used in the development process; and
  • 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
• b. Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to:

• (a) Define quality metrics at the beginning of the development process; and
• (b) Provide evidence of meeting the quality metrics [Selection: one or more of: upon delivery].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to perform a criticality analysis:

• (a) At the following decision points in the system development life cycle: [Assignment: organization-defined decision points]; and
• (b) At the following level of rigor: [Assignment: organization-defined breadth and depth of criticality analysis].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to reduce attack surfaces to [Assignment: organization-defined thresholds].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to:

• (a) Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
• (b) Determine the exploitation potential for discovered vulnerabilities;
• (c) Determine potential risk mitigations for delivered vulnerabilities; and
• (d) Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: [Assignment: organization-defined training].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:

• a. Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture;
• b. Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and
• c. Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to:

• (a) Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security and privacy policy] to be enforced; and
• (b) Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security and privacy policy when implemented.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to:

• (a) Define security-relevant hardware, software, and firmware; and
• (b) Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to:

• (a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
• (b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
• (c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
• (d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
• (e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to:

• (a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
• (b) Show via [Selection: one of: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
• (c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
• (d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
• (e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to:

• (a) Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and
• (b) Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate testing.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Design [Assignment: organization-defined critical systems] with coordinated behavior to implement the following capabilities: [Assignment: organization-defined capabilities].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Use different designs for [Assignment: organization-defined critical systems] to satisfy a common set of requirements or to provide equivalent functionality.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Reimplement or custom develop the following critical system components: [Assignment: organization-defined critical system].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require that the developer of [Assignment: organization-defined system, systems component, or system service]:

• a. Has appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and
• b. Satisfies the following additional personnel screening criteria: [Assignment: organization-defined additional personnel screening criteria].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or
• b. Provide the following options for alternative sources for continued support for unsupported components [Selection: one or more of: in-house support].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Employ [Selection: one or more of: design modification; augmentation; reconfiguration] on [Assignment: organization-defined systems or system components] supporting mission essential services or functions to increase the trustworthiness in those systems or components.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Design organizational systems, system components, or system services to achieve cyber resiliency by:
  • 1. Defining the following cyber resiliency goals: [Assignment: organization-defined cyber resiliency goals].
  • 2. Defining the following cyber resiliency objectives: [Assignment: organization-defined cyber resiliency objectives].
  • 3. Defining the following cyber resiliency techniques: [Assignment: organization-defined cyber resiliency techniques].
  • 4. Defining the following cyber resiliency implementation approaches: [Assignment: organization-defined cyber resiliency implementation approaches].
  • 5. Defining the following cyber resiliency design principles: [Assignment: organization-defined cyber resiliency design principles].
• b. Implement the selected cyber resiliency goals, objectives, techniques, implementation approaches, and design principles as part of an organizational risk management process or systems security engineering process.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools