← Controls / SA

SA-20 Customized Development of Critical Components

System and Services Acquisition

Description

Reimplement or custom develop the following critical system components: [Assignment: organization-defined parameters].

Supplemental Guidance

Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to adequately mitigate risk. Reimplementation or custom development of such components may satisfy requirements for higher assurance and is carried out by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed. In situations where no alternative sourcing is available and organizations choose not to reimplement or custom develop critical system components, additional controls can be employed. Controls include enhanced auditing, restrictions on source code and system utility access, and protection from deletion of system and application files.

Changes from Rev 4

No significant title changes from Rev 4.

Compliance Mappings

COBIT 2019

BAI03

NIS2 Directive

Art. 21(2)(e)

MAS TRM

56

BSI IT-Grundschutz

OPS.1.1.6

ANSSI

SecNumCloud.15.1SecNumCloud.15.5

FINMA Circular 2023/1

V(111)VI(112)

EU DORA

Art.25(2)

RBI CSF

Annex1.6

FISC Security Guidelines

FISC.O10FISC.T6

HKMA TM-E-1

TME1.3.2

EU CRA

CRA.I.2k

SAMA CSF

1.43.2

UAE IA

T10

CBB TM

TM-7

Qatar NIA

SD

CBUAE

CR-6

CBE CSF

CTO-4

SA JS2

JS2-SA

BoG CISD

CISD-SDLC

BoM CTRM

3.11

EBA ICT Guidelines

3.6.2

SEBI CSCRF

PR.AS

BOT Cyber Resilience

Ch2.5Ch6.2