SA-10 Developer Configuration Management

Baselines

Guidance

Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.

The configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle.

References 5

• FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
• FIPS 180-4 National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4.
• FIPS 202 National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202.
• SP 800-128 Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019.
• SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.

Control Enhancements 7

• SA-10(01) Software and Firmware Integrity Verification L M H P
• SA-10(02) Alternative Configuration Management Processes L M H P
• SA-10(03) Hardware Integrity Verification L M H P
• SA-10(04) Trusted Generation L M H P
• SA-10(05) Mapping Integrity for Version Control L M H P
• SA-10(06) Trusted Distribution L M H P
• SA-10(07) Security and Privacy Representatives L M H P

Related controls 14

• CM-02 Baseline Configuration L M H P
• CM-03 Configuration Change Control L M H P
• CM-04 Impact Analyses L M H P
• CM-07 Least Functionality L M H P
• CM-09 Configuration Management Plan L M H P
• SA-04 Acquisition Process L M H P
• SA-05 System Documentation L M H P
• SA-08 Security and Privacy Engineering Principles L M H P
• SA-15 Development Process, Standards, and Tools L M H P
• SI-02 Flaw Remediation L M H P
• SR-03 Supply Chain Controls and Processes L M H P
• SR-04 Provenance L M H P
• SR-05 Acquisition Strategies, Tools, and Methods L M H P
• SR-06 Supplier Assessments and Reviews L M H P