a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and services acquisition policy that:(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and2. Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; andc. Review and update the current system and services acquisition:1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;b. Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; andc. Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.
a. Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations;b. Define and document information security and privacy roles and responsibilities throughout the system development life cycle;c. Identify individuals having information security and privacy roles and responsibilities; andd. Integrate the organizational information security and privacy risk management process into system development life cycle activities.
Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service.
(a) Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and(b) Protect preproduction environments for the system, system component, or system service at the same impact or classification level as any live data in use within the preproduction environments.
Plan for and implement a technology refresh schedule for the system throughout the system development life cycle.
Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service:a. Security and privacy functional requirements;b. Strength of mechanism requirements;c. Security and privacy assurance requirements;d. Controls needed to satisfy the security and privacy requirements.e. Security and privacy documentation requirements;f. Requirements for protecting security and privacy documentation;g. Description of the system development environment and environment in which the system is intended to operate;h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; andi. Acceptance criteria.
Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.
Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design and implementation information]] at [Assignment: organization-defined level of detail].
Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes:(a) [Assignment: organization-defined systems engineering methods];(b) [Assignment: organization-defined [Selection (one or more): systems security; privacy] engineering methods]; and(c) [Assignment: organization-defined software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes].
[Withdrawn: Incorporated into CM-8(9).]
Require the developer of the system, system component, or system service to:(a) Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and(b) Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.
(a) Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and(b) Ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.
(a) Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and(b) Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved.
Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.
Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.
Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.
Include [Assignment: organization-defined Privacy Act requirements] in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.
(a) Include organizational data ownership requirements in the acquisition contract; and(b) Require all data to be removed from the contractor’s system and returned to the organization within [Assignment: organization-defined time frame].
a. Obtain or develop administrator documentation for the system, system component, or system service that describes:1. Secure configuration, installation, and operation of the system, component, or service;2. Effective use and maintenance of security and privacy functions and mechanisms; and3. Known vulnerabilities regarding configuration and use of administrative or privileged functions;b. Obtain or develop user documentation for the system, system component, or system service that describes:1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;c. Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [Assignment: organization-defined actions] in response; andd. Distribute documentation to [Assignment: organization-defined personnel or roles].
[Withdrawn: Incorporated into SA-4(1).]
[Withdrawn: Incorporated into SA-4(2).]
[Withdrawn: Incorporated into SA-4(2).]
[Withdrawn: Incorporated into SA-4(2).]
[Withdrawn: Incorporated into SA-4(2).]
[Withdrawn: Incorporated into CM-10 and SI-7.]
[Withdrawn: Incorporated into CM-11 and SI-7.]
Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [Assignment: organization-defined systems security and privacy engineering principles].
Implement the security design principle of clear abstractions.
Implement the security design principle of least common mechanism in [Assignment: organization-defined systems or system components].
Implement the security design principles of modularity and layering in [Assignment: organization-defined systems or system components].
Implement the security design principle of partially ordered dependencies in [Assignment: organization-defined systems or system components].
Implement the security design principle of efficiently mediated access in [Assignment: organization-defined systems or system components].
Implement the security design principle of minimized sharing in [Assignment: organization-defined systems or system components].
Implement the security design principle of reduced complexity in [Assignment: organization-defined systems or system components].
Implement the security design principle of secure evolvability in [Assignment: organization-defined systems or system components].
Implement the security design principle of trusted components in [Assignment: organization-defined systems or system components].
Implement the security design principle of hierarchical trust in [Assignment: organization-defined systems or system components].
Implement the security design principle of inverse modification threshold in [Assignment: organization-defined systems or system components].
Implement the security design principle of hierarchical protection in [Assignment: organization-defined systems or system components].
Implement the security design principle of minimized security elements in [Assignment: organization-defined systems or system components].
Implement the security design principle of least privilege in [Assignment: organization-defined systems or system components].
Implement the security design principle of predicate permission in [Assignment: organization-defined systems or system components].
Implement the security design principle of self-reliant trustworthiness in [Assignment: organization-defined systems or system components].
Implement the security design principle of secure distributed composition in [Assignment: organization-defined systems or system components].
Implement the security design principle of trusted communications channels in [Assignment: organization-defined systems or system components].
Implement the security design principle of continuous protection in [Assignment: organization-defined systems or system components].
Implement the security design principle of secure metadata management in [Assignment: organization-defined systems or system components].
Implement the security design principle of self-analysis in [Assignment: organization-defined systems or system components].
Implement the security design principle of accountability and traceability in [Assignment: organization-defined systems or system components].
Implement the security design principle of secure defaults in [Assignment: organization-defined systems or system components].
Implement the security design principle of secure failure and recovery in [Assignment: organization-defined systems or system components].
Implement the security design principle of economic security in [Assignment: organization-defined systems or system components].
Implement the security design principle of performance security in [Assignment: organization-defined systems or system components].
Implement the security design principle of human factored security in [Assignment: organization-defined systems or system components].
Implement the security design principle of acceptable security in [Assignment: organization-defined systems or system components].
Implement the security design principle of repeatable and documented procedures in [Assignment: organization-defined systems or system components].
Implement the security design principle of procedural rigor in [Assignment: organization-defined systems or system components].
Implement the security design principle of secure system modification in [Assignment: organization-defined systems or system components].
Implement the security design principle of sufficient documentation in [Assignment: organization-defined systems or system components].
Implement the privacy principle of minimization using [Assignment: organization-defined processes].
a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls];b. Define and document organizational oversight and user roles and responsibilities with regard to external system services; andc. Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [Assignment: organization-defined processes, methods, and techniques].
(a) Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and(b) Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services].
Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: [Assignment: organization-defined security and privacy requirements, properties, factors, or conditions defining acceptable trust relationships].
Take the following actions to verify that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests: [Assignment: organization-defined actions].
Restrict the location of [Selection (one or more): information processing; information or data; system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions].
Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.
Provide the capability to check the integrity of information while it resides in the external system.
Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States.
Require the developer of the system, system component, or system service to:a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation; disposal];b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];c. Implement only organization-approved changes to the system, component, or service;d. Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; ande. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.
Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.
Require the developer of the system, system component, or system service to enable integrity verification of hardware components.
Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions, source code, and object code with previous versions.
Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.
Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.
Require [Assignment: organization-defined security and privacy representatives] to be included in the [Assignment: organization-defined configuration change management and control process].
Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:a. Develop and implement a plan for ongoing security and privacy control assessments;b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage];c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;d. Implement a verifiable flaw remediation process; ande. Correct flaws identified during testing and evaluation.
Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.
Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:(a) Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];(b) Employs the following tools and methods: [Assignment: organization-defined tools and methods];(c) Conducts the modeling and analyses at the following level of rigor: [Assignment: organization-defined breadth and depth of modeling and analyses]; and(d) Produces evidence that meets the following acceptance criteria: [Assignment: organization-defined acceptance criteria].
(a) Require an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and(b) Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.
Require the developer of the system, system component, or system service to perform a manual code review of [Assignment: organization-defined specific code] using the following processes, procedures, and/or techniques: [Assignment: organization-defined processes, procedures, and/or techniques].
Require the developer of the system, system component, or system service to perform penetration testing:(a) At the following level of rigor: [Assignment: organization-defined breadth and depth of testing]; and(b) Under the following constraints: [Assignment: organization-defined constraints].
Require the developer of the system, system component, or system service to perform attack surface reviews.
Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: [Assignment: organization-defined breadth and depth of testing and evaluation].
Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.
Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.
[Withdrawn: Incorporated into SR.]
[Withdrawn: Incorporated into SR-5.]
[Withdrawn: Incorporated into SR-6.]
[Withdrawn: Incorporated into SR-3.]
[Withdrawn: Incorporated into SR-3(1).]
[Withdrawn: Incorporated into SR-3(2).]
[Withdrawn: Incorporated into SR-5(1).]
[Withdrawn: Incorporated into SR-5(2).]
[Withdrawn: Incorporated into RA-3(2).]
[Withdrawn: Incorporated into SR-7.]
[Withdrawn: Incorporated into SR-4(3).]
[Withdrawn: Incorporated into SR-6(1).]
[Withdrawn: Incorporated into SR-8.]
[Withdrawn: Incorporated into MA-6 and RA-9.]
[Withdrawn: Incorporated into SR-4(1) and SR-4(2).]
[Withdrawn: Incorporated into SR-3.]
[Withdrawn: Incorporated into SA-8.]
[Withdrawn: Incorporated into RA-9.]
[Withdrawn: Incorporated into SA-20.]
a. Require the developer of the system, system component, or system service to follow a documented development process that:1. Explicitly addresses security and privacy requirements;2. Identifies the standards and tools used in the development process;3. Documents the specific tool options and tool configurations used in the development process; and4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; andb. Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements].
Require the developer of the system, system component, or system service to:(a) Define quality metrics at the beginning of the development process; and(b) Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery].
Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process.
Require the developer of the system, system component, or system service to perform a criticality analysis:(a) At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and(b) At the following level of rigor: [Assignment: organization-defined breadth and depth of criticality analysis].
[Withdrawn: Incorporated into SA-11(2).]
Require the developer of the system, system component, or system service to reduce attack surfaces to [Assignment: organization-defined thresholds].
Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.
Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to:(a) Perform an automated vulnerability analysis using [Assignment: organization-defined tools];(b) Determine the exploitation potential for discovered vulnerabilities;(c) Determine potential risk mitigations for delivered vulnerabilities; and(d) Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].
Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.
[Withdrawn: Incorporated into SA-3(2).]
Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan.
Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.
Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.
Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: [Assignment: organization-defined training].
Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:a. Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture;b. Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; andc. Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection.
Require the developer of the system, system component, or system service to:(a) Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security and privacy policy] to be enforced; and(b) Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security and privacy policy when implemented.
Require the developer of the system, system component, or system service to:(a) Define security-relevant hardware, software, and firmware; and(b) Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.
Require the developer of the system, system component, or system service to:(a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;(b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;(c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;(d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware.
Require the developer of the system, system component, or system service to:(a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;(b) Show via [Selection: informal demonstration; convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;(c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;(d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware.
Require the developer of the system, system component, or system service to:(a) Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and(b) Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.
Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate testing.
Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.
Design [Assignment: organization-defined critical systems or system components] with coordinated behavior to implement the following capabilities: [Assignment: organization-defined capabilities, by system or component].
Use different designs for [Assignment: organization-defined critical systems or system components] to satisfy a common set of requirements or to provide equivalent functionality.
[Withdrawn: Incorporated into None.]
[Withdrawn: Incorporated into SR-9(1).]
[Withdrawn: Incorporated into SR-10.]
[Withdrawn: Incorporated into None.]
[Withdrawn: Incorporated into SR-11(1).]
[Withdrawn: Incorporated into SR-11(2).]
[Withdrawn: Incorporated into SR-12.]
[Withdrawn: Incorporated into SR-11(3).]
Reimplement or custom develop the following critical system components: [Assignment: organization-defined critical system components].
Require that the developer of [Assignment: organization-defined system, system component, or system service]:a. Has appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; andb. Satisfies the following additional personnel screening criteria: [Assignment: organization-defined additional personnel screening criteria].
[Withdrawn: Incorporated into SA-21.]
a. Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; orb. Provide the following options for alternative sources for continued support for unsupported components [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]].
[Withdrawn: Incorporated into SA-22.]
Employ [Selection (one or more): design; modification; augmentation; reconfiguration] on [Assignment: organization-defined systems or system components] supporting mission essential services or functions to increase the trustworthiness in those systems or components.