Navigate

SA-4(5)

SA-4(5): System, Component, and Service Configurations

Require the developer of the system, system component, or system service to:

(a): Deliver the system, component, or service with [security configurations for the system, component, or service are defined;] implemented; and

(b): Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

Supplemental

Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed.

CIA Levels
Confidentiality	unknown
Integrity	high
Availability	unknown

Overlays
DAF Baseline

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SA-4(5).

Control	Description
No controls

Enhancements

The controls below (if any) add on to the requirements of SA-4(5).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-4(5).

CCI	Definition
CCI-003109	Require the developer of the system, system component, or system service to deliver the system, component, or service with organization-defined security configurations implemented.
CCI-003110	Defines the security configurations required to be implemented when the developer delivers the system, system component, or system service.
CCI-003111	Requires the developer of the system, system component, or system service to use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.