Under active development — Content is continuously updated and improved

Home / Frameworks / DoD SRG / SA — System and Services Acquisition

SA — System and Services Acquisition

70 controls in the System and Services Acquisition family

SA-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

SA-2Allocation of Resources

IL4 ModIL4 HighIL5IL6

SA-3System Development Life Cycle

IL4 ModIL4 HighIL5IL6

SA-3(1)System Development Life Cycle | Manage Preproduction Environment

SA-3(2)System Development Life Cycle | Use of Live or Operational Data

SA-4Acquisition Process

IL4 ModIL4 HighIL5IL6

SA-4(1)Acquisition Process | Functional Properties of Controls

IL4 ModIL4 HighIL5IL6

SA-4(2)Acquisition Process | Design and Implementation Information for Controls

IL4 ModIL4 HighIL5IL6

SA-4(3)Acquisition Process | Development Methods, Techniques, and Practices

SA-4(5)Acquisition Process | System, Component, and Service Configurations

IL4 ModIL4 HighIL5IL6

SA-4(6)Acquisition Process | Use of Information Assurance Products

SA-4(7)Acquisition Process | NIAP-approved Protection Profiles

SA-4(9)Acquisition Process | Functions, Ports, Protocols, and Services in Use

IL4 ModIL4 HighIL5IL6

SA-4(10)Acquisition Process | Use of Approved PIV Products

IL4 ModIL4 HighIL5IL6

SA-5System Documentation

IL4 ModIL4 HighIL5IL6

SA-8Security and Privacy Engineering Principles

IL4 ModIL4 HighIL5IL6

SA-8(1)Security and Privacy Engineering Principles | Clear Abstractions

SA-8(2)Security and Privacy Engineering Principles | Least Common Mechanism

SA-8(3)Security and Privacy Engineering Principles | Modularity and Layering

SA-8(4)Security and Privacy Engineering Principles | Partially Ordered Dependencies

SA-8(5)Security and Privacy Engineering Principles | Efficiently Mediated Access

SA-8(6)Security and Privacy Engineering Principles | Minimized Sharing

SA-8(7)Security and Privacy Engineering Principles | Reduced Complexity

SA-8(8)Security and Privacy Engineering Principles | Secure Evolvability

SA-8(9)Security and Privacy Engineering Principles | Trusted Components

SA-8(10)Security and Privacy Engineering Principles | Hierarchical Trust

SA-8(11)Security and Privacy Engineering Principles | Inverse Modification Threshold

SA-8(12)Security and Privacy Engineering Principles | Hierarchical Protection

SA-8(13)Security and Privacy Engineering Principles | Minimized Security Elements

SA-8(14)Security and Privacy Engineering Principles | Least Privilege

SA-8(15)Security and Privacy Engineering Principles | Predicate Permission

SA-8(16)Security and Privacy Engineering Principles | Self-reliant Trustworthiness

SA-8(17)Security and Privacy Engineering Principles | Secure Distributed Composition

SA-8(18)Security and Privacy Engineering Principles | Trusted Communications Channels

SA-8(19)Security and Privacy Engineering Principles | Continuous Protection

SA-8(20)Security and Privacy Engineering Principles | Secure Metadata Management

SA-8(21)Security and Privacy Engineering Principles | Self-analysis

SA-8(22)Security and Privacy Engineering Principles | Accountability and Traceability

SA-8(23)Security and Privacy Engineering Principles | Secure Defaults

SA-8(24)Security and Privacy Engineering Principles | Secure Failure and Recovery

SA-8(25)Security and Privacy Engineering Principles | Economic Security

SA-8(26)Security and Privacy Engineering Principles | Performance Security

SA-8(27)Security and Privacy Engineering Principles | Human Factored Security

SA-8(28)Security and Privacy Engineering Principles | Acceptable Security

SA-8(29)Security and Privacy Engineering Principles | Repeatable and Documented Procedures

SA-8(30)Security and Privacy Engineering Principles | Procedural Rigor

SA-8(31)Security and Privacy Engineering Principles | Secure System Modification

SA-8(32)Security and Privacy Engineering Principles | Sufficient Documentation

SA-9External System Services

IL4 ModIL4 HighIL5IL6

SA-9(1)External System Services | Risk Assessments and Organizational Approvals

IL4 ModIL4 HighIL5IL6

SA-9(2)External System Services | Identification of Functions, Ports, Protocols, and Services

IL4 ModIL4 HighIL5IL6

SA-9(3)External System Services | Establish and Maintain Trust Relationship with Providers

IL4 ModIL4 HighIL5IL6

SA-9(5)External System Services | Processing, Storage, and Service Location

IL4 ModIL4 HighIL5IL6

SA-9(6)External System Services | Organization-controlled Cryptographic Keys

IL4 ModIL4 HighIL5IL6

SA-9(7)External System Services | Organization-controlled Integrity Checking

IL4 ModIL4 HighIL5IL6

SA-9(8)External System Services | Processing and Storage Location -- U.S. Jurisdiction

IL4 ModIL4 HighIL5IL6

SA-10Developer Configuration Management

IL4 ModIL4 HighIL5IL6

SA-10(1)Developer Configuration Management | Software and Firmware Integrity Verification

SA-10(3)Developer Configuration Management | Hardware Integrity Verification

SA-10(7)Developer Configuration Management | Security and Privacy Representatives

SA-11Developer Testing and Evaluation

IL4 ModIL4 HighIL5IL6

SA-11(1)Developer Testing and Evaluation | Static Code Analysis

IL4 ModIL4 HighIL5IL6

SA-11(2)Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses

IL4 ModIL4 HighIL5IL6

SA-15Development Process, Standards, and Tools

IL4 ModIL4 HighIL5IL6

SA-15(3)Development Process, Standards, and Tools | Criticality Analysis

IL4 ModIL4 HighIL5IL6

SA-15(7)Development Process, Standards, and Tools | Automated Vulnerability Analysis

SA-16Developer-provided Training

SA-17Developer Security and Privacy Architecture and Design

SA-21Developer Screening

SA-22Unsupported System Components

IL4 ModIL4 HighIL5IL6

← Back to all controls