← Controls / SA

SA-10 Developer Configuration Management

System and Services Acquisition

Low Moderate High

Description

The organization requires that information system developers create and implement a configuration management plan that controls changes to the system during development, tracks security flaws, requires authorization of changes, and provides documentation of the plan and its implementation.

Supplemental Guidance

This control also applies to the development actions associated with information system changes.

Changes from Rev 4

Adds 'disposal' to parameter text selections Adds 'privacy' to control text

Enhancements

(0) None.

MITRE ATT&CK Techniques (27)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 6 Execution 2 Persistence 14 Privilege Escalation 5 Defense Evasion 17 Lateral Movement 1 Collection 1 Impact 1

Compliance Mappings

ISO 27001:2022

6.3A.8.25A.8.30A.8.32A.8.4

ISO 27002:2022

8.258.308.328.4

COBIT 2019

BAI03BAI06

CIS Controls v8

CIS 16CIS 16.4CIS 2.6

NIST CSF 2.0

PR.PS-06

PCI DSS v4.0.1

6.26.5

ISO 42001:2023

A.6.1.3A.6.2.3

NIS2 Directive

Art. 21(2)(e)

PRA Operational Resilience

SS1/21-11.1

MAS TRM

6

ANSSI

Hygiene.34Hygiene.36SecNumCloud.15.4

FINMA Circular 2023/1

IV.A(36)IV.A(37)IV.A(38)IV.A(39)

OSFI B-13

B-13.2.3B-13.3.2

EU GDPR

Art.25(1)Art.32(1)(d)

EU DORA

Art.8(5)Art.9(4)(e)

BIO2

8.258.308.328.4

RBI CSF

Annex1.6ITGRCA.13

FISC Security Guidelines

FISC.O10FISC.O3FISC.T6

HKMA TM-E-1

TME1.3.2TME1.4.3

MLPS 2.0

8.1.9.5

DNB Good Practice

DNB.10.1DNB.10.5

EU CRA

CRA.I.1CRA.I.2f

SAMA CSF

3.2

NCA ECC

1-62-3

UAE IA

T10

CBB TM

TM-7

Qatar NIA

SD

CBUAE

CR-6

CBE CSF

CTO-12CTO-4

SA JS2

JS2-SA

BoG CISD

CISD-SDLC

BoM CTRM

3.113.6

IOSCO Cyber Resilience

PROT-6

BCBS 239

Principle 3

FFIEC IS

II.C.10II.C.17

EBA ICT Guidelines

3.6.23.6.3

SEBI CSCRF

PR.ASPR.IP

BOT Cyber Resilience

Ch2.5

CMMC 2.0

CM

PCI PTS v6

BF

FIPS 140-3

FIPS 140-3 §7.11FIPS 140-3 §7.5

Common Criteria

CC Part 3 — SAR

ISAE 3402

Clause 4

Solvency II

EIOPA-ICT-4.11

Lloyd's Minimum Standards

MS8.4

PRA SS1/23

P3.1P3.3P3.4

FCA SYSC 13

SYSC 13.7.1SYSC 13.7.4

HITRUST CSF v11

09.a10.d

FDA 21 CFR Part 11

§11.10(a)

FDA Cybersecurity Guidance

524B-1PU-1SA-3SBOM-1SBOM-2

ISO 27799

14.2

Basel SCO60

SCO60.52

BSSC Standards

NOS-02TIS-08

ISO 17799 (legacy)

12.5.112.5.2

COBIT 4.1 (legacy)

None.