SA — System and Services Acquisition
25 controls in the System and Services Acquisition family
SA-1Policy and Procedures
LI-SaaS
LOW
MODERATE
HIGH
SA-2Allocation of Resources
LI-SaaS
LOW
MODERATE
HIGH
SA-3System Development Life Cycle
LI-SaaS
LOW
MODERATE
HIGH
SA-4Acquisition Process
LI-SaaS
LOW
MODERATE
HIGH
SA-4 (01)Acquisition Process | Functional Properties of Controls
MODERATE
HIGH
SA-4 (02)Acquisition Process | Design and Implementation Information for Controls
MODERATE
HIGH
SA-4 (05)Acquisition Process | System, Component, and Service Configurations
HIGH
SA-4 (09)Acquisition Process | Functions, Ports, Protocols, and Services in Use
MODERATE
HIGH
SA-4 (10)Acquisition Process | Use of Approved PIV Products
LI-SaaS
LOW
MODERATE
HIGH
SA-5System Documentation
LI-SaaS
LOW
MODERATE
HIGH
SA-8Security and Privacy Engineering Principles
LI-SaaS
LOW
MODERATE
HIGH
SA-9External System Services
LI-SaaS
LOW
MODERATE
HIGH
SA-9 (01)External System Services | Risk Assessments and Organizational Approvals
MODERATE
HIGH
SA-9 (02)External System Services | Identification of Functions, Ports, Protocols, and Services
MODERATE
HIGH
SA-9 (05)External System Services | Processing, Storage, and Service Location
MODERATE
HIGH
SA-10Developer Configuration Management
MODERATE
HIGH
SA-11Developer Testing and Evaluation
MODERATE
HIGH
SA-11 (01)Developer Testing and Evaluation | Static Code Analysis
MODERATE
HIGH
SA-11 (02)Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses
MODERATE
HIGH
SA-15Development Process, Standards, and Tools
MODERATE
HIGH
SA-15 (03)Development Process, Standards, and Tools | Criticality Analysis
MODERATE
HIGH
SA-16Developer-provided Training
HIGH
SA-17Developer Security and Privacy Architecture and Design
HIGH
SA-21Developer Screening
HIGH
SA-22Unsupported System Components
LI-SaaS
LOW
MODERATE
HIGH