← Controls / SA

SA-04 Acquisitions

System and Services Acquisition

Low Moderate High Privacy

Description

The organization includes security requirements and/or security specifications, either explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable laws, Executive Orders, directives, policies, regulations, and standards.

Supplemental Guidance

(1) Solicitation Documents; The solicitation documents (e.g., Requests for Proposals) for information systems and services include, either explicitly or by reference, security requirements that describe: (i) required security capabilities (security needs and, as necessary, specific security controls and other specific FISMA requirements); (ii) required design and development processes; (iii) required test and evaluation procedures; and (iv) required documentation. The requirements in the solicitation documents permit updating security controls as new threats/vulnerabilities are identified and as new technologies are implemented. NIST Special Publication 800-36 provides guidance on the selection of information security products. NIST Special Publication 800-35 provides guidance on information technology security services. NIST Special Publication 800-64 provides guidance on security considerations in the system development life cycle. (2) Information System Documentation; The solicitation documents include requirements for appropriate information system documentation. The documentation addresses user and systems administrator guidance and information regarding the implementation of the security controls in the information system. The level of detail required in the documentation is based on the FIPS 199 security category for the information system. (3) Use of Tested, Evaluated, and Validated Products; NIST Special Publication 800-23 provides guidance on the acquisition and use of tested/evaluated information technology products. (4) Configuration Settings and Implementation Guidance; The information system required documentation includes security configuration settings and security implementation guidance. OMB FISMA reporting instructions provide guidance on configuration requirements for federal information systems. NIST Special Publication 800-70 provides guidance on configuration settings for information technology products.

Changes from Rev 4

Control text adds privacy, controls needed to satisfy security and privacy requirements, and allocation of responsibility New parameter to specify contract language Discussion expanded to explain benefits Incorporates requirements elements of withdrawn App J control AR-03

MITRE ATT&CK Techniques (6)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 4 Persistence 5 Privilege Escalation 6 Defense Evasion 6

Compliance Mappings

ISO 27001:2022

A.5.19A.5.20A.5.31A.5.8A.8.26A.8.29A.8.30

ISO 27002:2022

5.195.205.235.315.88.268.298.308.6

COBIT 2019

APO09APO10BAI02BAI03MEA03

CIS Controls v8

CIS 15CIS 15.2CIS 15.4CIS 16

NIST CSF 2.0

GV.OC-03GV.SC-02GV.SC-04GV.SC-05GV.SC-06GV.SC-10ID.RA-09ID.RA-10

SOC 2 TSC

CC1.4-POF2CC1.4-POF3CC2.3-POF12CC3.3CC3.4CC5.2CC9.1CC9.2CC9.2-POF1PI1.2PI1.3

PCI DSS v4.0.1

12.8

CSA CCM v4

CCC-05DSP-13IPY-01IPY-02IPY-03IPY-04IVS-07STA-03STA-09STA-10UEM-03

CSA AICM v1

CCC-05DSP-13I&S-07IPY-01IPY-02IPY-03IPY-04MDS-12STA-03STA-09STA-10STA-15UEM-03

ISO 42001:2023

A.10.3A.6.2.2

NIS2 Directive

Art. 21(2)(d)Art. 21(2)(e)Art. 24

PRA Operational Resilience

SS2/21-3.1SS2/21-5.1SS2/21-6.1

MAS TRM

165

APRA CPS 234

Para 29-33

BSI IT-Grundschutz

ORP.5

ANSSI

Hygiene.42SecNumCloud.15.1SecNumCloud.16.1

FINMA Circular 2023/1

IV.F(100)V(101)V(102)V(103)

OSFI B-13

B-13.2.3B-13.4.1

EU GDPR

Art.28(1)Art.28(3)Art.28(3)(a)

EU DORA

Art.28(1)(a)Art.30(2)Art.30(3)

BIO2

5.195.205.235.315.88.268.298.308.6

RBI CSF

Annex1.6Annex1.11ITGRCA.10

FISC Security Guidelines

FISC.O10FISC.O6FISC.T6FISC.T9

LGPD + BCB 4893

BCB.Art.11BCB.Art.11-SuppBCB.Art.12BCB.Art.16

HKMA TM-E-1

TME1.12.1TME1.12.2TME1.3.1TME1.3.4

MLPS 2.0

8.1.9.38.1.9.48.38.5

DNB Good Practice

DNB.14.1DNB.14.2DNB.3.2

EU CRA

CRA.I.1CRA.I.2bCRA.I.2eCRA.I.2jCRA.II.1CRA.Info.8f

SAMA CSF

1.43.24.14.2

NCA ECC

1-61-72-144-1

UAE IA

T10

CBB TM

TM-15TM-7

Qatar NIA

SD

CBUAE

CR-12CR-6

CBE CSF

CTO-11CTO-4OVM-1

SA JS2

JS2-8.7JS2-SA

CBN CSF

Part2.4Part5.1Part5.2

BoG CISD

CISD-IXCISD-SDLCCISD-XIICISD-XVI

POPIA

s21

BoM CTRM

3.13.113.9

IOSCO Cyber Resilience

PROT-6PROT-7

BCBS 239

Principle 4

CPMI-IOSCO PFMI

PFMI.P17PFMI.P22

FFIEC IS

II.C.14II.C.17II.C.2II.C.20

NYDFS 500

500.11500.8

HIPAA Security Rule

§164.308(b)(1)§164.308(b)(3)§164.314(a)(1)§164.314(a)(2)

ECB CROE

CROE.2.2.3

EBA ICT Guidelines

3.2.33.6.13.6.2

SEBI CSCRF

GV.SCPR.AS

BOT Cyber Resilience

Ch2.5Ch5.1Ch6.2

NERC CIP

CIP-013-2

10 CFR 73.54

RG5.71-C-SR

FERC CIP Orders

Order 829

DOE C2M2 v2.1

THIRD

API 1164

Sec 12

AWIA

AWWA Sec 7

IAEA NSS 17-T

Sec 6

PCI PTS v6

GH

FIPS 140-3

FIPS 140-3 §7.11FIPS 140-3 §7.2

CBEST

CBEST.8

TIBER-EU

TIBER.PROV

PCI HSM

2

Common Criteria

CC Part 1 — PPCC Part 1 — STCC Part 3 — SARCCRA

ISAE 3402

Clause 7

Solvency II

Art.49(1)Art.49(2)DR.272EIOPA-Cloud-GL3

Lloyd's Minimum Standards

BP2.1MS13.1MS8.8

NAIC Insurance Data Security

4D

PRA SS1/23

P1.3

FCA SYSC 13

SYSC 13.9.1SYSC 13.9.2SYSC 13.9.3

HITRUST CSF v11

05.b06.a09.b10.a

FDA Cybersecurity Guidance

524B-1SBOM-1

ISO 27799

14.115.118.1

NHS DSPT

NDG-10.1NDG-10.2NDG-10.3

MiCA

Art.66(1)Art.66(3)

Basel SCO60

SCO60.4SCO60.54

BSSC Standards

TIS-03TIS-06KMS-03GSP-07

SEC Custody (Digital Assets)

SEC-CD-10

ISO 17799 (legacy)

12.1.1

COBIT 4.1 (legacy)

AI2.4AI5.4