System And Services Acquisition Control Family
Page last updated:
| Number | Control | Pivotal Application Service (PAS) Compliance |
|---|---|---|
| SA-1 | SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES | Deployer responsibility |
| SA-2 | ALLOCATION OF RESOURCES | Deployer responsibility |
| SA-3 | SYSTEM DEVELOPMENT LIFE CYCLE | Deployer responsibility |
| SA-4 | ACQUISITION PROCESS | Deployer responsibility |
| SA-5 | INFORMATION SYSTEM DOCUMENTATION | Compliant |
| SA-6 | SOFTWARE USAGE RESTRICTIONS | Not applicable |
| SA-7 | USER-INSTALLED SOFTWARE | Not applicable |
| SA-8 | SECURITY ENGINEERING PRINCIPLES | Deployer responsibility |
| SA-9 | EXTERNAL INFORMATION SYSTEM SERVICES | Deployer responsibility |
| SA-10 | DEVELOPER CONFIGURATION MANAGEMENT | Compliant, and deployer responsibility |
| SA-11 | DEVELOPER SECURITY TESTING AND EVALUATION | Compliant, and deployer responsibility |
| SA-12 | SUPPLY CHAIN PROTECTION | Not applicable |
| SA-13 | TRUSTWORTHINESS | Not applicable |
| SA-14 | CRITICALITY ANALYSIS | Not applicable |
| SA-15 | DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | Not applicable |
| SA-16 | DEVELOPER-PROVIDED TRAINING | Not applicable |
| SA-17 | DEVELOPER SECURITY ARCHITECTURE AND DESIGN | Not applicable |
| SA-18 | TAMPER RESISTANCE AND DETECTION | |
| SA-19 | COMPONENT AUTHENTICITY | Not applicable |
| SA-20 | CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS | Not applicable |
| SA-21 | DEVELOPER SCREENING | Not applicable |
| SA-22 | UNSUPPORTED SYSTEM COMPONENTS | Not applicable |