Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-4(5)

acquisition process  | system / component / service configurations

assessment objective:

Determine if the organization:

sa-4(5)(a)

sa-4(5)(a)[1]

defines security configurations to be implemented by the developer of the information system, system component, or information system service;

sa-4(5)(a)[2]

requires the developer of the information system, system component, or information system service to deliver the system, component, or service with organization-defined security configurations implemented; and

sa-4(5)(b)

requires the developer of the information system, system component, or information system service to use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for the information system, system component, or information system service; security configurations to be implemented by developer of the information system, system component, or information system service; service-level agreements; other relevant documents or records].

Interview: [select from: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with responsibility for determining information system security requirements; information system developer or service provider; organizational personnel with information security responsibilities].

Test: [select from: Automated mechanisms used to verify that the configuration of the information system, component, or service, as delivered, is as specified].