SA-21

SA-21 DEVELOPER SCREENING

Overview

Number	Title	Impact	Priority	Subject Area
SA-21	Developer Screening		P0	System And Services Acquisition

Instructions
The organization requires that the developer of Assignment: organization-defined information system, system component, or information system service: SA-21a. Have appropriate access authorizations as determined by assigned Assignment: organization-defined official government duties; and SA-21b. Satisfy Assignment: organization-defined additional personnel screening criteria.

Guidance
Because the information system, system component, or information system service may be employed in critical activities essential to the national and/or economic security interests of the United States, organizations have a strong interest in ensuring that the developer is trustworthy. The degree of trust required of the developer may need to be consistent with that of the individuals accessing the information system/component/service once deployed. Examples of authorization and personnel screening criteria include clearance, satisfactory background checks, citizenship, and nationality. Trustworthiness of developers may also include a review and analysis of company ownership and any relationships the company has with entities potentially affecting the quality/reliability of the systems, components, or services being developed.

Guidance

Because the information system, system component, or information system service may be employed in critical activities essential to the national and/or economic security interests of the United States, organizations have a strong interest in ensuring that the developer is trustworthy. The degree of trust required of the developer may need to be consistent with that of the individuals accessing the information system/component/service once deployed. Examples of authorization and personnel screening criteria include clearance, satisfactory background checks, citizenship, and nationality. Trustworthiness of developers may also include a review and analysis of company ownership and any relationships the company has with entities potentially affecting the quality/reliability of the systems, components, or services being developed.

Enhancements

SA-21 (1) Validation Of Screening

Satisfying required access authorizations and personnel screening criteria includes, for example, providing a listing of all the individuals authorized to perform development activities on the selected information system, system component, or information system service so that organizations can validate that the developer has satisfied the necessary authorization and screening requirements.

The organization requires the developer of the information system, system component, or information system service take Assignment: organization-defined actions to ensure that the required access authorizations and screening criteria are satisfied.