SA – System And Services Acquisition

The System and Services Acquisition (SA) Control Family addresses the need for organizations to protect their information systems from risk during the acquisition process. This includes ensuring that security requirements are identified and addressed early in the acquisition process, and that security controls are implemented and tested prior to the deployment of new systems and services.

Why is the SA Control Family Important?

The SA Control Family is important because it helps organizations to:

  • Ensure that security requirements are identified and addressed early in the acquisition process. This helps to prevent security risks from being introduced into new systems and services.
  • Implement and test security controls prior to the deployment of new systems and services. This helps to ensure that systems and services are secure before they are used to process sensitive data.
  • Manage risk throughout the system development life cycle (SDLC). This helps to ensure that security risks are identified and addressed throughout the SDLC, from development to deployment to maintenance.

Key Controls in the SA Security Control Family

The following are some of the key controls in the SA Security Control Family:

  • SA-1: Policy and Procedures: This control requires organizations to develop and implement a system and services acquisition policy and procedures.
  • SA-3: System Development Life Cycle: This control requires organizations to implement a system development life cycle (SDLC) that includes security activities throughout the SDLC.
  • SA-4: Acquisition Process: This control requires organizations to have a process in place for acquiring systems and services in a secure manner.
  • SA-5: System Documentation: This control requires organizations to develop and maintain documentation for all systems and services.
  • SA-6: Security and Privacy Engineering Principles: This control requires organizations to apply security and privacy engineering principles to the development and acquisition of systems and services.
  • SA-7: External System Services: This control requires organizations to have a process in place for managing the security of external system services.
  • SA-8: Developer Configuration Management: This control requires organizations to implement a developer configuration management process to control changes to software code and other development artifacts.
  • SA-9: Developer Testing and Evaluation: This control requires organizations to implement a developer testing and evaluation process to test the security of systems and services during the development process.
  • SA-10: Developer Security and Privacy Architecture and Design: This control requires organizations to have a developer security and privacy architecture and design process in place.
  • SA-11: Criticality Analysis: This control requires organizations to conduct a criticality analysis of all systems and services.
  • SA-12: Risk Management: This control requires organizations to implement a risk management process to identify, assess, and manage the risks to their information systems.
  • SA-13: Supply Chain Risk Management: This control requires organizations to implement a supply chain risk management process to manage the risks associated with the acquisition of systems and services from third-party suppliers.

By implementing the SA Control Family, organizations can help to ensure that their systems and services are acquired and developed in a secure manner.