|
SA-01
|
Policy and Procedures |
|
|
|
|
|
SA-02
|
Allocation of Resources |
|
|
|
|
|
SA-03
|
System Development Life Cycle |
|
|
|
|
|
SA-03(01)
|
Manage Preproduction Environment |
|
|
|
|
|
SA-03(02)
|
Use of Live or Operational Data |
|
|
|
|
|
SA-03(03)
|
Technology Refresh |
|
|
|
|
|
SA-04
|
Acquisition Process |
|
|
|
|
|
SA-04(01)
|
Functional Properties of Controls |
|
|
|
|
|
SA-04(02)
|
Design and Implementation Information for Controls |
|
|
|
|
|
SA-04(03)
|
Development Methods, Techniques, and Practices |
|
|
|
|
|
SA-04(04)
|
Assignment of Components to Systems |
Incorporated into
CM-8.9.
|
|
SA-04(05)
|
System, Component, and Service Configurations |
|
|
|
|
|
SA-04(06)
|
Use of Information Assurance Products |
|
|
|
|
|
SA-04(07)
|
NIAP-approved Protection Profiles |
|
|
|
|
|
SA-04(08)
|
Continuous Monitoring Plan for Controls |
|
|
|
|
|
SA-04(09)
|
Functions, Ports, Protocols, and Services in Use |
|
|
|
|
|
SA-04(10)
|
Use of Approved PIV Products |
|
|
|
|
|
SA-04(11)
|
System of Records |
|
|
|
|
|
SA-04(12)
|
Data Ownership |
|
|
|
|
|
SA-05
|
System Documentation |
|
|
|
|
|
SA-05(01)
|
Functional Properties of Security Controls |
Incorporated into
SA-4.1.
|
|
SA-05(02)
|
Security-relevant External System Interfaces |
Incorporated into
SA-4.2.
|
|
SA-05(03)
|
High-level Design |
Incorporated into
SA-4.2.
|
|
SA-05(04)
|
Low-level Design |
Incorporated into
SA-4.2.
|
|
SA-05(05)
|
Source Code |
Incorporated into
SA-4.2.
|
|
SA-06
|
Software Usage Restrictions |
Incorporated into
CM-10 AND SI-7.
|
|
SA-07
|
User-installed Software |
Incorporated into
CM-11 AND SI-7.
|
|
SA-08
|
Security and Privacy Engineering Principles |
|
|
|
|
|
SA-08(01)
|
Clear Abstractions |
|
|
|
|
|
SA-08(02)
|
Least Common Mechanism |
|
|
|
|
|
SA-08(03)
|
Modularity and Layering |
|
|
|
|
|
SA-08(04)
|
Partially Ordered Dependencies |
|
|
|
|
|
SA-08(05)
|
Efficiently Mediated Access |
|
|
|
|
|
SA-08(06)
|
Minimized Sharing |
|
|
|
|
|
SA-08(07)
|
Reduced Complexity |
|
|
|
|
|
SA-08(08)
|
Secure Evolvability |
|
|
|
|
|
SA-08(09)
|
Trusted Components |
|
|
|
|
|
SA-08(10)
|
Hierarchical Trust |
|
|
|
|
|
SA-08(11)
|
Inverse Modification Threshold |
|
|
|
|
|
SA-08(12)
|
Hierarchical Protection |
|
|
|
|
|
SA-08(13)
|
Minimized Security Elements |
|
|
|
|
|
SA-08(14)
|
Least Privilege |
|
|
|
|
|
SA-08(15)
|
Predicate Permission |
|
|
|
|
|
SA-08(16)
|
Self-reliant Trustworthiness |
|
|
|
|
|
SA-08(17)
|
Secure Distributed Composition |
|
|
|
|
|
SA-08(18)
|
Trusted Communications Channels |
|
|
|
|
|
SA-08(19)
|
Continuous Protection |
|
|
|
|
|
SA-08(20)
|
Secure Metadata Management |
|
|
|
|
|
SA-08(21)
|
Self-analysis |
|
|
|
|
|
SA-08(22)
|
Accountability and Traceability |
|
|
|
|
|
SA-08(23)
|
Secure Defaults |
|
|
|
|
|
SA-08(24)
|
Secure Failure and Recovery |
|
|
|
|
|
SA-08(25)
|
Economic Security |
|
|
|
|
|
SA-08(26)
|
Performance Security |
|
|
|
|
|
SA-08(27)
|
Human Factored Security |
|
|
|
|
|
SA-08(28)
|
Acceptable Security |
|
|
|
|
|
SA-08(29)
|
Repeatable and Documented Procedures |
|
|
|
|
|
SA-08(30)
|
Procedural Rigor |
|
|
|
|
|
SA-08(31)
|
Secure System Modification |
|
|
|
|
|
SA-08(32)
|
Sufficient Documentation |
|
|
|
|
|
SA-08(33)
|
Minimization |
|
|
|
|
|
SA-09
|
External System Services |
|
|
|
|
|
SA-09(01)
|
Risk Assessments and Organizational Approvals |
|
|
|
|
|
SA-09(02)
|
Identification of Functions, Ports, Protocols, and Services |
|
|
|
|
|
SA-09(03)
|
Establish and Maintain Trust Relationship with Providers |
|
|
|
|
|
SA-09(04)
|
Consistent Interests of Consumers and Providers |
|
|
|
|
|
SA-09(05)
|
Processing, Storage, and Service Location |
|
|
|
|
|
SA-09(06)
|
Organization-controlled Cryptographic Keys |
|
|
|
|
|
SA-09(07)
|
Organization-controlled Integrity Checking |
|
|
|
|
|
SA-09(08)
|
Processing and Storage Location — U.S. Jurisdiction |
|
|
|
|
|
SA-10
|
Developer Configuration Management |
|
|
|
|
|
SA-10(01)
|
Software and Firmware Integrity Verification |
|
|
|
|
|
SA-10(02)
|
Alternative Configuration Management Processes |
|
|
|
|
|
SA-10(03)
|
Hardware Integrity Verification |
|
|
|
|
|
SA-10(04)
|
Trusted Generation |
|
|
|
|
|
SA-10(05)
|
Mapping Integrity for Version Control |
|
|
|
|
|
SA-10(06)
|
Trusted Distribution |
|
|
|
|
|
SA-10(07)
|
Security and Privacy Representatives |
|
|
|
|
|
SA-11
|
Developer Testing and Evaluation |
|
|
|
|
|
SA-11(01)
|
Static Code Analysis |
|
|
|
|
|
SA-11(02)
|
Threat Modeling and Vulnerability Analyses |
|
|
|
|
|
SA-11(03)
|
Independent Verification of Assessment Plans and Evidence |
|
|
|
|
|
SA-11(04)
|
Manual Code Reviews |
|
|
|
|
|
SA-11(05)
|
Penetration Testing |
|
|
|
|
|
SA-11(06)
|
Attack Surface Reviews |
|
|
|
|
|
SA-11(07)
|
Verify Scope of Testing and Evaluation |
|
|
|
|
|
SA-11(08)
|
Dynamic Code Analysis |
|
|
|
|
|
SA-11(09)
|
Interactive Application Security Testing |
|
|
|
|
|
SA-12
|
Supply Chain Protection |
Incorporated into
SR.
|
|
SA-12(01)
|
Acquisition Strategies / Tools / Methods |
Moved to
SR-5.
|
|
SA-12(02)
|
Supplier Reviews |
Moved to
SR-6.
|
|
SA-12(03)
|
Trusted Shipping and Warehousing |
Incorporated into
SR-3.
|
|
SA-12(04)
|
Diversity of Suppliers |
Moved to
SR-3.1.
|
|
SA-12(05)
|
Limitation of Harm |
Moved to
SR-3.2.
|
|
SA-12(06)
|
Minimizing Procurement Time |
Incorporated into
SR-5.1.
|
|
SA-12(07)
|
Assessments Prior to Selection / Acceptance / Update |
Moved to
SR-5.2.
|
|
SA-12(08)
|
Use of All-source Intelligence |
Incorporated into
RA-3.2.
|
|
SA-12(09)
|
Operations Security |
Moved to
SR-7.
|
|
SA-12(10)
|
Validate as Genuine and Not Altered |
Moved to
SR-4.3.
|
|
SA-12(11)
|
Penetration Testing / Analysis of Elements, Processes, and Actors |
Moved to
SR-6.1.
|
|
SA-12(12)
|
Inter-organizational Agreements |
Moved to
SR-8.
|
|
SA-12(13)
|
Critical Information System Components |
Incorporated into
MA-6 AND RA-9.
|
|
SA-12(14)
|
Identity and Traceability |
Incorporated into
SR-4.1 AND SR-4.2.
|
|
SA-12(15)
|
Processes to Address Weaknesses or Deficiencies |
Incorporated into
SR-3.
|
|
SA-13
|
Trustworthiness |
Incorporated into
SA-8.
|
|
SA-14
|
Criticality Analysis |
Incorporated into
RA-9.
|
|
SA-14(01)
|
Critical Components with No Viable Alternative Sourcing |
Incorporated into
SA-20.
|
|
SA-15
|
Development Process, Standards, and Tools |
|
|
|
|
|
SA-15(01)
|
Quality Metrics |
|
|
|
|
|
SA-15(02)
|
Security and Privacy Tracking Tools |
|
|
|
|
|
SA-15(03)
|
Criticality Analysis |
|
|
|
|
|
SA-15(04)
|
Threat Modeling and Vulnerability Analysis |
Incorporated into
SA-11.2.
|
|
SA-15(05)
|
Attack Surface Reduction |
|
|
|
|
|
SA-15(06)
|
Continuous Improvement |
|
|
|
|
|
SA-15(07)
|
Automated Vulnerability Analysis |
|
|
|
|
|
SA-15(08)
|
Reuse of Threat and Vulnerability Information |
|
|
|
|
|
SA-15(09)
|
Use of Live Data |
Incorporated into
SA-3.2.
|
|
SA-15(10)
|
Incident Response Plan |
|
|
|
|
|
SA-15(11)
|
Archive System or Component |
|
|
|
|
|
SA-15(12)
|
Minimize Personally Identifiable Information |
|
|
|
|
|
SA-16
|
Developer-provided Training |
|
|
|
|
|
SA-17
|
Developer Security and Privacy Architecture and Design |
|
|
|
|
|
SA-17(01)
|
Formal Policy Model |
|
|
|
|
|
SA-17(02)
|
Security-relevant Components |
|
|
|
|
|
SA-17(03)
|
Formal Correspondence |
|
|
|
|
|
SA-17(04)
|
Informal Correspondence |
|
|
|
|
|
SA-17(05)
|
Conceptually Simple Design |
|
|
|
|
|
SA-17(06)
|
Structure for Testing |
|
|
|
|
|
SA-17(07)
|
Structure for Least Privilege |
|
|
|
|
|
SA-17(08)
|
Orchestration |
|
|
|
|
|
SA-17(09)
|
Design Diversity |
|
|
|
|
|
SA-18
|
Tamper Resistance and Detection |
Moved to
SR-9.
|
|
SA-18(01)
|
Multiple Phases of System Development Life Cycle |
Moved to
SR-9.1.
|
|
SA-18(2)
|
Inspection of Systems or Components |
Moved to
SR-10.
|
|
SA-19
|
Component Authenticity |
Moved to
SR-11.
|
|
SA-19(01)
|
Anti-counterfeit Training |
Moved to
SR-11.1.
|
|
SA-19(02)
|
Configuration Control for Component Service and Repair |
Moved to
SR-11.2.
|
|
SA-19(03)
|
Component Disposal |
Moved to
SR-12.
|
|
SA-19(04)
|
Anti-counterfeit Scanning |
Moved to
SR-11.3.
|
|
SA-20
|
Customized Development of Critical Components |
|
|
|
|
|
SA-21
|
Developer Screening |
|
|
|
|
|
SA-21(01)
|
Validation of Screening |
Incorporated into
SA-21.
|
|
SA-22
|
Unsupported System Components |
|
|
|
|
|
SA-22(01)
|
Alternative Sources for Continued Support |
Incorporated into
SA-22.
|
|
SA-23
|
Specialization |
|
|
|
|