An error occurred:

© 2024 Xylok, LLC

Version: v2024.10.3-0fa4-8a67

Navigate

SA-4 (7)

SA-4 (7): Niap-Approved Protection Profiles

The organization:

SA-4 (7)(a): Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and

SA-4 (7)(b): Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated.

Supplemental

None

CIA Levels
Confidentiality	unknown
Integrity	low
Availability	unknown

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to SA-4 (7).

Control	Description
SC-12	The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
SC-13	The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Enhancements

The controls below (if any) add on to the requirements of SA-4 (7).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-4 (7).

CCI	Definition
CCI-000634	The organization limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance Partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists.
CCI-000635	The organization requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated.