|SA-4 (1) Functional Properties Of Security Controls ||MODERATE |
Functional properties of security controls describe the functionality (i.e., security capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.
The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.
|SA-4 (2) Design / Implementation Information For Security Controls ||MODERATE |
Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system.
The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; Assignment: organization-defined design/implementation information at Assignment: organization-defined level of detail.
|SA-4 (3) Development Methods / Techniques / Practices || |
Following a well-defined system development life cycle that includes state-of-the-practice software development methods, systems/security engineering methods, quality control processes, and testing, evaluation, and validation techniques helps to reduce the number and severity of latent errors within information systems, system components, and information system services. Reducing the number/severity of such errors reduces the number of vulnerabilities in those systems, components, and services.
The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes Assignment: organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes.
|SA-4 (4) Assignment Of Components To Systems || |
Withdrawn: Incorporated into CM-8 (9).
|SA-4 (5) System / Component / Service Configurations || |
Security configurations include, for example, the U.S. Government Configuration Baseline (USGCB) and any limitations on functions, ports, protocols, and services. Security characteristics include, for example, requiring that all default passwords have been changed.
The organization requires the developer of the information system, system component, or information system service to: SA-4 (5)(a)
Deliver the system, component, or service with Assignment: organization-defined security configurations implemented; and SA-4 (5)(b)
Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.
|SA-4 (6) Use Of Information Assurance Products || |
COTS IA or IA-enabled information technology products used to protect classified information by cryptographic means may be required to use NSA-approved key management.
The organization: SA-4 (6)(a)
Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and SA-4 (6)(b)
Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.
|SA-4 (7) Niap-Approved Protection Profiles || |
The organization: SA-4 (7)(a)
Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and SA-4 (7)(b)
Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated.
|SA-4 (8) Continuous Monitoring Plan || |
The objective of continuous monitoring plans is to determine if the complete set of planned, required, and deployed security controls within the information system, system component, or information system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into the continuous monitoring strategies and programs implemented by organizations.
The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains Assignment: organization-defined level of detail.
|SA-4 (9) Functions / Ports / Protocols / Services In Use ||MODERATE |
The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design phases) allows organizations to influence the design of the information system, information system component, or information system service. This early involvement in the life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services (or when requiring information system service providers to do so). Early identification of functions, ports, protocols, and services avoids costly retrofitting of security controls after the information system, system component, or information system service has been implemented. SA-9 describes requirements for external information system services with organizations identifying which functions, ports, protocols, and services are provided from external sources.
The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.
|SA-4 (10) Use Of Approved Piv Products ||LOW |
The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.