NIST 800-53 r5 · Controls catalogue · Family SA
SA-1Policy and Procedures
Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}: {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and Review and update the current system and services acquisition: Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (4)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Procedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres. |
CWE-506 | Embedded Malicious Code | 80 | Acquisition procedures can prescribe integrity checks, code review, and provenance validation to reduce introduction of embedded malicious code. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Policy can require pre-acquisition evaluation of third-party component maintenance status, support lifecycle, and update commitments. |
CWE-657 | Violation of Secure Design Principles | 19 | Acquisition policy and procedures can explicitly require adherence to secure design and engineering principles during system and service purchases. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||