ARTIFACTS
SA: SYSTEM & SERVICES ACQUISITION
What's On This Page
Each control family has a page dedicated to presenting all of the artifacts associated with the controls and control enhancements in that family. This is a consolidated view of the artifacts organized in a way to make the information usable. From here you can navigate to the individual control pages where the artifacts associated with each control or control enhancement are displayed with the control. You can use the Links Panels to select the individual controls or control enhancements you want to work with.
Supplement the artifacts here with other relevent documents and records dictated by your risk-based cybersecurity program and your information supply chain requirements.
The Source of the Artifacts
The control information comes from NIST Special Publication 800-53R4, Security and Privacy Controls for Information Systems and Organizationsand Special Publication and NIST Special Publication 800-53AR4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans. We've normalized the artifact names and annotated them with information useful in understanding these artifacts in the context of your digital enterprise, information supply chain, and security architecture.
Essential Artifacts for Risk-Based Cybersecurity Programs
This section includes core documents for risk-based cybersecurity; the POLICY & PROCEDURES document for System & Services Acquisition (SA); and documents that are widely used in the assessment of controls and control enhancements in the System & Services Acquisition (SA) family. Policy and Procedure documents from control families are in CAPS and identified with their two letter code.
| CORE ARTIFACTS |
| WIDELY USED ARTIFACTS FOR SYSTEM & SERVICES ACQUISITION |
| SYSTEM & SERVICES ACQUISITIONN POLICY & PROCEDURES (SA) |
| Information system design documentation |
| Information system configuration settings and associated documentation |
| Information system audit records |
Security Authorization Package Documents:
|
| ESSENTIALS |
| ACCESS CONTROL POLICY & PROCEDURES (AC) |
| Asset Inventory |
| AUDIT & ACCOUNTABILITY POLICY & PROCEDURES (AU) | Configuration Management Plan |
| CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM) |
Contingency Plan
|
| CONTINGENCY PLANNING POLICY & PROCEDURES (CP) |
| Continuous Monitoring Strategy |
| Continuous Monitoring Plan |
| Enterprise Architecture (EA) |
| IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES (IA) |
| INCIDENT RESPONSE POLICY & PROCEDURES (IR) |
| INFORMATION SECURITY PROGRAM PLAN (PM) |
| MEDIA PROTECTION POLICY & PROCEDURES (MP) |
| PERSONNEL SECURITY POLICY & PROCEDURES (PS) |
| PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY & PROCEDURES (PE) |
| Privacy Impact Assessment |
| Privacy Program Plan |
| Risk Assessment |
| RISK ASSESSMENT POLICY & PROCEDURES (RA) |
| SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES (CA) |
| SECURITY AWARENESS AND TRAINING POLICY & PROCEDURES (AT) |
| Security Configurations |
| SECURITY PLANNING POLICY & PROCEDURES (PL) |
| SYSTEM AND COMMUNICATIONS PROTECTION POLICY & PROCEDURES (SC) |
| SYSTEM AND INFORMATION INTEGRITY POLICY & PROCEDURES (SI) |
| SYSTEM AND SERVICES ACQUISITION POLICY & PROCEDURES (SA) |
| System Interconnection Agreements |
| SYSTEM MAINTENANCE POLICY & PROCEDURES (MA) |
Policy & Procedures
Here you'll find a catalog of System & Services Acquisition (SA) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| POLICES & PROCEDURES | APPLICABLE CONTROL(S) |
| Configuration management policy | SA-12 (5) |
| Enterprise architecture policy | SA-17 SA-17 (1) SA-17 (2) SA-17 (3) SA-17 (4) SA-17 (5) SA-17 (6) SA-17 (7) |
| Incident response policy | SA-19 SA-19 (1) |
| Media disposal policy | SA-19 SA-19 (1) SA-19 (3) |
| Media protection policy | SA-17 SA-17 (1) SA-17 (2) SA-17 (3) |
| Personnel security POLICY & PROCEDURES | SA-21 SA-21 (1) |
| Anti-counterfeit POLICY & PROCEDURES | SA-19 SA-19 (1) SA-19 (2) SA-19 (3) SA-19 (4) |
| Procedures address the integration of information security requirements into the acquisition process | SA-12 (10) |
| Procedures addressing attack surface reduction | SA-15 (5) |
| Procedures addressing capital planning and investment control | SA-2 |
| Procedures addressing configuration management | SA-10 (2) |
| Procedures addressing criticality analysis requirements for information systems, security plan | SA-14 |
| Procedures addressing criticality analysis requirements for the information system, system component, or information system service | SA-15 (3) |
| Procedures addressing customized development of critical information system components | SA-20 |
| Procedures addressing developer continuous monitoring plans | SA-4 (8) |
| Procedures addressing developer security architecture and design specification for the information system | SA-17 SA-17 (1) SA-17 (2) SA-17 (3) SA-17 (4) SA-17 (5) SA-17 (6) SA-17 (7) |
| Procedures addressing developer-provided training | SA-16 |
| Procedures addressing development process, standards, and tools | SA-15 SA-15 (1) SA-15 (2) SA-15 (3) SA-15 (4) SA-15 (5) SA-15 (6) SA-15 (7) SA-15 (8) SA-15 (9) SA-15 (10) SA-15 (11) |
| Procedures addressing external information system services | SA-9 SA-9 (1) SA-9 (2) SA-9 (3) SA-9 (4) SA-9 (5) |
| Procedures addressing flaw remediation | SA-11 SA-11 (1) SA-11 (8) |
| Procedures addressing information system documentation | SA-5 |
| Procedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services | SA-9 |
| Procedures addressing personnel screening | SA-21 SA-21 (1) |
| Procedures addressing replacement or continued use of unsupported information system components | SA-22 |
| Procedures addressing security engineering principles used in the specification, design, development, implementation, and modification of the information system | SA-8 |
| Procedures addressing supply chain protection | SA-12 SA-12 (1) SA-12 (2) SA-12 (5) SA-12 (7) SA-12 (8) SA-12 (9) SA-12 (10) SA-12 (11) SA-12 (12) SA-12 (13) SA-12 (14) SA-12 (15) |
| Procedures addressing support for unsupported information system components | SA-22 (1) |
| Procedures addressing system developer configuration management | SA-10 SA-10 (1) SA-10 (2) SA-10 (3) SA-10 (4) SA-10 (5) SA-10 (6) |
| Procedures addressing system developer security testing | "SA-11 SA-11 (1) SA-11 (2) SA-11 (3) SA-11 (4) SA-11 (5) SA-11 (6) SA-11 (7) SA-11 (8)" |
| Procedures addressing tamper resistance and detection | SA-18 SA-18 (1) SA-18 (2) |
| Procedures addressing the allocation of resources to information security requirements | SA-2 |
| Procedures addressing the baseline configuration of the information system | SA-12 (5) |
| Procedures addressing the integration of acquisition strategies, contract tools, and procure methods into the acquisition process | SA-12 (1) |
| Procedures addressing the integration of information security into the system development life cycle process | SA-3 |
| Procedures addressing the integration of information security requirements into the acquisition process | SA-12 SA-12 (1) SA-12 (2) SA-12 (5) SA-12 (7) SA-12 (14) |
| Procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process | SA-4 SA-4 (1) SA-4 (2) SA-4 (3) SA-4 (5) SA-4 (6) SA-4 (7) SA-4 (8) SA-4 (9) SA-4 (10) |
| Procedures addressing the integration of security requirements during the development process | SA-15 SA-15 (1) SA-15 (2) |
| Procedures addressing trustworthiness requirements for the information system, system component, or information system service | SA-13 |
| Procedures addressing weaknesses or deficiencies in supply chain elements | SA-12 (15) |
| Processes, procedures, and/or techniques for performing manual code reviews | SA-11 (4) |
| System and services acquisition POLICY & PROCEDURES | SA-1 |
Evidence, Records & Artifacts
Here you'll find a catalog of System & Services Acquisition (SA) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| ARTIFACT | APPLICABLE CONTROL(S) |
| Acceptance criteria for evidence produced from threat modeling and vulnerability analysis | SA-15 (4) |
| Acquisition contracts | SA-12 (15) SA-22 (1) |
| Acquisition contracts for information systems or services | SA-4 (9) SA-12 (1) |
| Acquisition contracts for the information system | SA-10 (1) SA-10 (2) SA-10 (6) |
| Acquisition contracts for the information system, or information system service | SA-15 (5) SA-15 (10 SA-15 (11) |
| Acquisition contracts, service-level agreements. XXX | SA-9 |
| Acquisition documentation | SA-22 (1) |
| Approval records for acquisition or outsourcing of dedicated information security services | SA-9 (1) |
| Assessment reports/results | SA-18 (2) |
| Assessments performed on external service providers | SA-9 (4) |
| Business impact analysis documentation | SA-14 SA-15 (3) |
| Change control records | SA-10 SA-10 (1) SA-10 (4) SA-10 (5) SA-10 (6) SA-15 |
| Configuration control audit records | SA-10 (4) |
| Configuration control records | SA-15 |
| Configuration control records for components awaiting service/repair | SA-19 (2) |
| Configuration control records for serviced/repaired components awaiting return to service | SA-19 (2) |
| Configuration management records | SA-10 SA-10 (1) SA-10 (4) SA-10 (5) SA-10 (6) SA-20 |
| Criticality analysis documentation | SA-14 SA-15 (3) |
| Design and implementation information for security controls employed in the information system, system component, or information system service | SA-4 (2) |
| Design specification and security architecture documentation for the system | SA-17 SA-17 (1) |
| Developer continuous monitoring plans | SA-4 (8) |
| Developer documentation describing design and structure of security-relevant hardware, software, and firmware components | SA-17 (5) |
| Developer documentation describing design and structure of security-relevant hardware, software, and firmware components to facilitate controlling access with least privilege | SA-17 (7) |
| Developer documentation describing design and structure of security-relevant hardware, software, and firmware components to facilitate testing | SA-17 (6) |
| Developer incident response plan | SA-15 (10) SA-15 (11) |
| Developer-provided training materials | SA-16 |
| Disposal records for information system components | SA-19 (3) |
| Documentation authorizing use of live data in development and test environments | SA-15 (9) |
| Documentation describing security-relevant hardware, software and firmware mechanisms not addressed in the formal top-level specification documentation | SA-17 (3) SA-17 (4) |
| Documentation evidence of meeting quality metrics | SA-15 (1) SA-15 (2) |
| Documentation evidence of meeting quality metrics | SA-15 (2) |
| Documentation of disposal techniques and methods employed for information system components | SA-19 (3) |
| Documentation of trust relationships with external service providers | SA-9 (3) |
| Documented approvals (including justification) for continued use of unsupported information system components | SA-22 |
| Documented evidence of replacing unsupported information system components | SA-22 |
| Documented rationale of completeness regarding definitions provided for security-relevant hardware, software, and firmware | SA-17 (2) |
| Documented reviews of development process, standards, tools, and tool options/configurations | SA-15 |
| Evidence of organizational analysis, independent third-party analysis, organizational penetration testing, and/or independent third-party penetration testing | SA-12 (11) |
| Evidentiary documentation (including applicable configurations) indicating the information system, system component, or information system service are genuine and have not been altered | SA-12 (10) |
| FIPS-validation information for cryptographic functionality | SA-4 (7) |
| Formal policy model | SA-17 (3) SA-17 (4) |
| Formal top-level specification documentation | SA-17 (3) |
| Hardware integrity verification records | SA-10 (3) |
| Independent verification and validation reports | SA-11 (3) |
| Informal descriptive top-level specification documentation | SA-17 (4) |
| Information processing, information/data, and/or information system services to be maintained in restricted locations | SA-9 (5) |
| Information security requirements and specifications for the information system | SA-8 |
| Information security risk management strategy/program documentation | SA-3 |
| Information system architecture and associated configuration documentation | SA-12 (5) |
| Information system configuration settings and associated documentation establishing/enforcing organization-defined thresholds for reducing attack surfaces | SA-15 (5) |
| Information system development life cycle documentation | SA-3 |
| Information system documentation including administrator and user guides | SA-5 |
| Information system documentation including functions, ports, protocols, and services intended for organizational use | SA-4 (9) |
| Information system maintenance records | SA-19 (2) |
| Information system risk assessment reports | SA-11 (2) |
| Information system security architecture and design documentation | SA-17 (3) SA-17 (4) |
| Information system security architecture documentation | SA-17 (5) |
| Information system security architecture documentation | SA-17 (6) SA-17 (7) |
| Information/data and/or information system services | SA-9 (5) |
| Inspection reports/results | SA-18 (2) |
| Integrity verification records between master copies of security-relevant hardware, software, and firmware (including designs and source code) | SA-10 (5) |
| Inter-organizational agreements and procedures | SA-12 (12) |
| Inventory management records | SA-19 (2) |
| Inventory records of critical information system components | SA-12 (13) |
| NAIP-approved protection profiles | SA-4 (7) |
| Network diagram | SA-15 (5) |
| Organizational programming and budgeting documentation | SA-2 |
| Organizational risk assessment results | SA-12 (7) |
| Organizational risk assessments | SA-15 (4) |
| Organizational security requirements and security specifications for external provider services | SA-9 |
| Organizational security requirements and security specifications for external service providers | SA-9 (2) |
| Organizational security requirements or conditions for external providers | SA-9 (5) |
| Organizational security requirements, descriptions, and criteria for developers of information systems, system components, and information system services | SA-4 (9) |
| Organizational security requirements, properties, factors, or conditions defining acceptable trust relationships | SA-9 (3) |
| Organizational security requirements/safeguards for external service providers | SA-9 (4) |
| Penetration testing results | SA-12 (7) |
| Personnel screening criteria and associated documentation | SA-21 SA-21 (1) |
| Personnel security policies for external service providers | SA-9 (4) |
| Physical inventory of critical information system components | SA-12 (13) |
| Plans of action and milestones for improving system development process | SA-15 (6) |
| Purchase orders/requisitions for the information system; system component; or information system service from suppliers | SA-12 (1) |
| Quality goals and metrics for improving system development process | SA-15 (6) |
| Records documenting attempts to obtain unavailable or nonexistent information system documentation | SA-5 |
| Records of all-source intelligence analyses | SA-12 (8) SA-12 (9) |
| Records of attack surface reviews | SA-11 (6) |
| Records of developer security testing results for the information system, system component, or information system service | SA-11 |
| Records of developer security testing results for the information system, system component, or information system service | SA-11 (2) |
| Records of manual code reviews | SA-11 (4) |
| Records of random inspections | SA-18 (2) |
| Records of supplier due diligence reviews | SA-12 (2) |
| Reports notifying developers/manufacturers/vendors/ contractors and/or external reporting organizations of counterfeit information system components | SA-19 |
| Restricted locations for information processing | SA-9 (5) |
| Results of independent or organizational assessments of supply chain controls and processes | SA-12 (15) |
| Risk assessment reports | SA-9 (1) SA-15 (7) |
| Risk management strategy documentation | SA-5 |
| Risk mitigation strategy documentation | SA-15 (7) |
| Scanning results | SA-19 (4) |
| Scanning tools and associated documentation | SA-19 (4) |
| Security assessments and/or quality control reviews of system development process | SA-15 (6) |
| Security authorization package for the information system, system component, or information system service | SA-13 |
| Security categorization documentation/results | SA-13 |
| Security configurations to be implemented by developer of the information system, system component, or information system service | SA-4 (5) |
| Security configurations to be implemented by developer of the information system, system component, or information system service | SA-4 (6) |
| Security control assessment evidence from external providers of information system services | SA-9 |
| Security flaw and flaw resolution tracking records | SA-10 |
| Security flaw and remediation tracking records | SA-11 SA-11 (1) SA-11 (8) |
| Security test and evaluation plans | SA-11 (3) |
| Security test and evaluation results | SA-11 (8) SA-12 (7) |
| Security test and evaluation results for the information system, system component, or information system service | SA-11 (3) |
| Software and firmware integrity verification records | SA-10 (1) |
| Software development life cycle documentation | SA-15 (3) |
| Solicitation documents | SA-4 (1) SA-4 (2) SA-4 (3) SA-4 (5) SA-4 (6) SA-4 (7) |
| System change authorization records | SA-10 SA-10 (1) SA-10 (4) SA-10 (5) SA-10 (6) SA-15 |
| System change authorization records | SA-10 SA-10 (1) |
| System component, or information system service XXX | SA-10 (1) SA-10 (2) SA-10 (6) |
| System developer documentation listing tool options/configuration guides, configuration management records | SA-15 |
| System developer penetration testing and evaluation plans | SA-11 (5) |
| System developer penetration testing and evaluation results | SA-11 (5) |
| System developer security test and evaluation plans | SA-11 (8) |
| System developer security test plans | SA-11 SA-11 (1) SA-11 (2) |
| System developer security testing and evaluation plans | SA-11 (4) SA-11 (6) SA-11 (7) |
| System developer security testing and evaluation results | SA-11 (4) SA-11 (6) SA-11 (7) |
| System developer security testing results | SA-11 (1) |
| System development life cycle documentation | SA-12 SA-14 SA-18 (1) |
| System development life cycle documentation addressing custom development of critical information system components | SA-20 |
| Tamper protection program documentation | SA-18 SA-18 (1) |
| Tamper protection tools and techniques documentation | SA-18 SA-18 (1) |
| Tamper resistance and detection tools (technologies) and techniques documentation | SA-18 (1) |
| Tamper resistance and detection tools and techniques documentation | SA-18 |
| Threat and vulnerability analysis reports | SA-11 (2) |
| Threat modeling and vulnerability analyses from similar information systems, system components, or information system service | SA-15 (8) |
| Threat modeling documentation | SA-15 (4) |
| Training materials addressing counterfeit information system components | SA-19 SA-19 (1) |
| Training records | SA-16 |
| Training records on detection and prevention of counterfeit components from entering the information system | SA-19 |
| Training records on detection of counterfeit information system components | SA-19 (1) |
| Version control change/update records | SA-10 (5) |
| Vulnerability analysis results | SA-15 (4) SA-15 (7) |
| Vulnerability analysis tools and associated documentation | SA-15 (7) |
| Vulnerability assessment results | SA-12 (7) |
| Vulnerability mitigation reports | SA-15 (7) |
| Vulnerability scanning results | SA-11 (2) |
System & Services Acquisition Related Lists
These are the System & Services Acquisition (SA) related lists you may need to support your security program. For the lists applicable to your systems and informations supply chain you should know the source of the list and the data it contains; how the lists are generated, where they are stored, and how they are maintained, and how to get the when you have an incident, an incident investigation or an audit.
| LIST | APPLICABLE CONTROL(S) |
| List of actions ensuring required access authorizations and screening criteria are satisfied | SA-21 (1) |
| List of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation | SA-5 |
| List of appropriate access authorizations required by developers of the information system | SA-21 SA-21 (1) |
| List of code requiring manual reviews | SA-11 (4) |
| List of critical information system components and functions identified by criticality analyses | SA-14 |
| List of information systems, information system components, or information system services requiring criticality analyses | SA-14 |
| List of quality control processes to be included in developer's system development life cycle process | SA-4 (3) |
| List of quality metrics | SA-15 (1) SA-15 (2) |
| List of required functions, ports, protocols, and other services | SA-9 (2) |
| List of restricted ports, protocols, functions and services | SA-15 (5) |
| List of security safeguards ensuring adequate supply of critical information system components | SA-12 (13) |
| List of security safeguards to be taken against supply chain threats | SA-12 |
| List of security safeguards to be taken to protect organizational supply chain against potential supply chain threats | SA-12 (5) |
| List of security-relevant hardware, software, and firmware components | SA-17 (2) |
| List of software development methods to be included in developer's system development life cycle process | SA-4 (3) |
| List of supply chain elements, processes, and actors (associated with the information system, system component, or information system service) requiring implementation of unique identification processes, procedures, tools, mechanisms, equipment, techniques and/or configurations | SA-12 (14) |
| List of supply chain elements, processes, and actors (associated with the information system, system component, or information system service) subject to analysis and/or testing | SA-12 (11) |
| List of supply chain threats | SA-12 |
| List of system/security engineering methods to be included in developer's system development life cycle process | SA-4 (3) |
| List of testing/evaluation/validation techniques to be included in developer's system development life cycle process | SA-4 (3) |