SA-4 (1) Acquisition Process | Functional Properties of Controls (M) (H)

This page is classified as INTERNAL.

NIST SP 800-53 (r4) Control:

The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

NIST 800-53 (r4) Supplemental Guidance:

Functional properties of security controls describe the functionality (i.e., security capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls. Related control: SA-5.

NIST 800-53 (r5) Discussion:

Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.

38North Guidance:

Meets Minimum Requirement:

- Provide a description of the security controls that will be tested and employed. CSP must provide a description of the functional security controls that are employed for the information system.

Best Practice:

- Document security controls as they are implemented and employed into a System Security Plan (SSP) or similar document.
- Update the document as the environment is updated and new changes are employed.

Unofficial FedRAMP Guidance:

None.

Assessment Evidence:

- Documentation included in contracts or provided after the service agreement that includes a list of security controls along with a description of how the controls are employed.
- Artifacts produced throughout the lifecycle of the system or service that include security controls that are going to be tested and employed to the information system as part of updating or implementing changes to an information
- Samples of acquisition contracts or documented evidence to show:
  - Security requirements are addressed
  - A description of the product is provided
  - The security controls employed by the product
  - A plan for continuous monitoring is produced
  - The functions, ports, protocols, and services required to operation are defined
  - Testing performed on acquired product prior to implementation system/application.

CSP Implementation Tips:

- None.

Page updated

Report abuse