NIST 800-53 r5 · Controls catalogue · Family SA
SA-4Acquisition Process
Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service: Security and privacy functional requirements; Strength of mechanism requirements; Security and privacy assurance requirements; Controls needed to satisfy the security and privacy requirements. Security and privacy documentation requirements; Requirements for protecting security and privacy documentation; Description of the system development environment and environment in which the system is intended to operate; Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and Acceptance criteria.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (6)
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.001 Default Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.003 Local Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1134.005 SID-History Injection Stealth, Privilege Escalation
- T1574.001 DLL Stealth, Execution
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-798 | Use of Hard-coded Credentials | 1,955 | Requiring security functional requirements and acceptance criteria allows contracts to prohibit hard-coded credentials in delivered systems or components. |
CWE-1188 | Initialization of a Resource with an Insecure Default | 300 | Mandating secure configuration and initialization requirements in the acquisition process prevents delivery of products that initialize resources with insecure defaults. |
CWE-321 | Use of Hard-coded Cryptographic Key | 277 | Functional and assurance requirements specified in acquisition can prohibit hard-coded cryptographic keys in delivered products. |
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Allocation of supply-chain risk management responsibilities and vetting of the development/operational environment reduce inclusion of functionality from untrusted control spheres. |
CWE-494 | Download of Code Without Integrity Check | 242 | Requiring integrity-protection mechanisms and assurance requirements in contracts prevents acquisition of code-download features lacking integrity checks. |
CWE-1392 | Use of Default Credentials | 89 | Security functional requirements and acceptance criteria can stipulate that acquired systems must not use default credentials. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Explicit supply-chain risk management and acceptance criteria in acquisition contracts directly reduce procurement of unmaintained third-party components. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||