SA-10

SA-10 DEVELOPER CONFIGURATION MANAGEMENT

Overview

Number	Title	Impact	Priority	Subject Area
SA-10	Developer Configuration Management	MODERATE	P1	System And Services Acquisition

Instructions
The organization requires the developer of the information system, system component, or information system service to: SA-10a. Perform configuration management during system, component, or service Selection (one or more): design; development; implementation; operation; SA-10b. Document, manage, and control the integrity of changes to Assignment: organization-defined configuration items under configuration management; SA-10c. Implement only organization-approved changes to the system, component, or service; SA-10d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and SA-10e. Track security flaws and flaw resolution within the system, component, or service and report findings to Assignment: organization-defined personnel.

Instructions

The organization requires the developer of the information system, system component, or information system service to:

SA-10a.

Perform configuration management during system, component, or service Selection (one or more): design; development; implementation; operation;

SA-10b.

Document, manage, and control the integrity of changes to Assignment: organization-defined configuration items under configuration management;

SA-10c.

Implement only organization-approved changes to the system, component, or service;

SA-10d.

Document approved changes to the system, component, or service and the potential security impacts of such changes; and

SA-10e.

Track security flaws and flaw resolution within the system, component, or service and report findings to Assignment: organization-defined personnel.

Guidance
This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle.

Guidance

This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle.

Enhancements

SA-10 (1) Software / Firmware Integrity Verification

This control enhancement allows organizations to detect unauthorized changes to software and firmware components through the use of tools, techniques, and/or mechanisms provided by developers. Integrity checking mechanisms can also address counterfeiting of software and firmware components. Organizations verify the integrity of software and firmware components, for example, through secure one-way hashes provided by developers. Delivered software and firmware components also include any updates to such components.

The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.

SA-10 (2) Alternative Configuration Management Processes

Alternate configuration management processes may be required, for example, when organizations use commercial off-the-shelf (COTS) information technology products. Alternate configuration management processes include organizational personnel that: (i) are responsible for reviewing/approving proposed changes to information systems, system components, and information system services; and (ii) conduct security impact analyses prior to the implementation of any changes to systems, components, or services (e.g., a configuration control board that considers security impacts of changes during development and includes representatives of both the organization and the developer, when applicable).

The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.

SA-10 (3) Hardware Integrity Verification

This control enhancement allows organizations to detect unauthorized changes to hardware components through the use of tools, techniques, and/or mechanisms provided by developers. Organizations verify the integrity of hardware components, for example, with hard-to-copy labels and verifiable serial numbers provided by developers, and by requiring the implementation of anti-tamper technologies. Delivered hardware components also include updates to such components.

The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components.

SA-10 (4) Trusted Generation

This control enhancement addresses changes to hardware, software, and firmware components between versions during development. In contrast, SA-10 (1) and SA-10 (3) allow organizations to detect unauthorized changes to hardware, software, and firmware components through the use of tools, techniques, and/or mechanisms provided by developers.

The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions and software/firmware source and object code with previous versions.

SA-10 (5) Mapping Integrity For Version Control

This control enhancement addresses changes to hardware, software, and firmware components during initial development and during system life cycle updates. Maintaining the integrity between the master copies of security-relevant hardware, software, and firmware (including designs and source code) and the equivalent data in master copies on-site in operational environments is essential to ensure the availability of organizational information systems supporting critical missions and/or business functions.

The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.

SA-10 (6) Trusted Distribution

The trusted distribution of security-relevant hardware, software, and firmware updates helps to ensure that such updates are faithful representations of the master copies maintained by the developer and have not been tampered with during distribution.

The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.