Navigate

SA-4 (5)

SA-4 (5): System / Component / Service Configurations

The organization requires the developer of the information system, system component, or information system service to:

SA-4 (5)(a): Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and

SA-4 (5)(b): Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

Supplemental

Security configurations include, for example, the U.S. Government Configuration Baseline (USGCB) and any limitations on functions, ports, protocols, and services. Security characteristics include, for example, requiring that all default passwords have been changed.

CIA Levels
Confidentiality	unknown
Integrity	high
Availability	unknown

Overlays
Space Platform

Related Controls

The controls below (if any) were marked by NIST as being related to SA-4 (5).

Control	Description
CM-8	The organization: CM-8a.: Develops and documents an inventory of information system components that: CM-8a.1.: Accurately reflects the current information system; CM-8a.2.: Includes all components within the authorization boundary of the information system; CM-8a.3.: Is at the level of granularity deemed necessary for tracking and reporting; and CM-8a.4.: Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and CM-8b.: Reviews and updates the information system component inventory [Assignment: organization-defined frequency].

Control

Description

CM-8

The organization:

CM-8a.: Develops and documents an inventory of information system components that:
- CM-8a.1.: Accurately reflects the current information system;
- CM-8a.2.: Includes all components within the authorization boundary of the information system;
- CM-8a.3.: Is at the level of granularity deemed necessary for tracking and reporting; and
- CM-8a.4.: Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and

CM-8b.: Reviews and updates the information system component inventory [Assignment: organization-defined frequency].

Enhancements

The controls below (if any) add on to the requirements of SA-4 (5).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-4 (5).

CCI	Definition
CCI-003109	The organization requires the developer of the information system, system component, or information system service to deliver the system, component, or service with organization-defined security configurations implemented.
CCI-003110	The organization defines the security configurations required to be implemented when the developer delivers the information system, system component, or information system service.
CCI-003111	The organization requires the developer of the information system, system component, or information system service to use the organization-defined security configurations as the default for any subsequent system, component, or service reinstallation or upgrade.