Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >SP 800-53
  3. >System And Services Acquisition
  4. >SP800-53-SA-4
SP800-53-SA-4Active

Acquisition Process

Statement

Include the following requirements, descriptions, and criteria, explicitly or by reference, using one or more: standardized contract language; ... in the acquisition contract for the system, system component, or system service: Security and privacy functional requirements; Strength of mechanism requirements; Security and privacy assurance requirements; Controls needed to satisfy the security and privacy requirements. Security and privacy documentation requirements; Requirements for protecting security and privacy documentation; Description of the system development environment and environment in which the system is intended to operate; Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and Acceptance criteria.

Location

Control Family
System and Services Acquisition

Control Details

Identifier
SP800-53-SA-4
Family
SA

Organisation-Defined Parameters

sa-04_odp.01
one or more: standardized contract language; ...
sa-04_odp.02
contract language

Supplemental Guidance

Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2 . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. SP 800-160-1 describes the process of requirements engineering as part of the system development life cycle.

Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.

Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement.

Organizations can determine other requirements that support security and operations, to include responsibilities for the organization and developer, and notification and timing requirements for support, maintenance and updates.

Assessment Objective

security functional requirements, descriptions, and criteria are included explicitly or by reference using one or more: standardized contract language; ... in the acquisition contract for the system, system component, or system service; privacy functional requirements, descriptions, and criteria are included explicitly or by reference using one or more: standardized contract language; ... in the acquisition contract for the system, system component, or system service; strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using one or more: standardized contract language; ... in the acquisition contract for the system, system component, or system service; security assurance requirements, descriptions, and criteria are included explicitly or by reference using one or more: standardized contract language; ... in the acquisition contract for the system, system component, or system service; privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using one or more: standardized contract language; ... in the acquisition contract for the system, system component, or system service; controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using one or more: standardized contract language; ... in the acquisition contract for the system, system component, or system service; controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using one or more: standardized contract language; ... in the acquisition contract for the system, system component, or system service; security documentation requirements, descriptions, and criteria are included explicitly or by reference using one or more: standardized contract language; ... in the acquisition contract for the system, system component, or system service; privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using one or more: standardized contract language; ... in the acquisition contract for the system, system component, or system service; requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using one or more: standardized contract language; ... in the acquisition contract for the system, system component, or system service; requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using one or more: standardized contract language; ... in the acquisition contract for the system, system component, or system service; the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using one or more: standardized contract language; ... in the acquisition contract for the system, system component, or system service; the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using one or more: standardized contract language; ... in the acquisition contract for the system, system component, or system service; the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using one or more: standardized contract language; ...; the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using one or more: standardized contract language; ...; acceptance criteria requirements and descriptions are included explicitly or by reference using one or more: standardized contract language; ... in the acquisition contract for the system, system component, or system service.

ATTACK
ATTACK-T1078.004relatedvia ctid-attack-to-sp800-53
ATTACK-T1078.001relatedvia ctid-attack-to-sp800-53
ATTACK-T1078.003relatedvia ctid-attack-to-sp800-53
ATTACK-T1134.005relatedvia ctid-attack-to-sp800-53
ATTACK-T1078relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to System and Services Acquisition
System and Services Acquisition147 controls
SP800-53-SA-1Policy and ProceduresSP800-53-SA-2Allocation of ResourcesSP800-53-SA-3System Development Life CycleSP800-53-SA-3(1)Manage Preproduction EnvironmentSP800-53-SA-3(2)Use of Live or Operational DataSP800-53-SA-3(3)Technology RefreshSP800-53-SA-4Acquisition ProcessSP800-53-SA-4(1)Functional Properties of ControlsSP800-53-SA-4(2)Design and Implementation Information for ControlsSP800-53-SA-4(3)Development Methods, Techniques, and PracticesSP800-53-SA-4(4)Assignment of Components to SystemsSP800-53-SA-4(5)System, Component, and Service ConfigurationsSP800-53-SA-4(6)Use of Information Assurance ProductsSP800-53-SA-4(7)NIAP-approved Protection Profiles SP800-53-SA-4(8)Continuous Monitoring Plan for ControlsSP800-53-SA-4(9)Functions, Ports, Protocols, and Services in UseSP800-53-SA-4(10)Use of Approved PIV ProductsSP800-53-SA-4(11)System of RecordsSP800-53-SA-4(12)Data OwnershipSP800-53-SA-5System DocumentationSP800-53-SA-5(1)Functional Properties of Security ControlsSP800-53-SA-5(2)Security-relevant External System InterfacesSP800-53-SA-5(3)High-level DesignSP800-53-SA-5(4)Low-level DesignSP800-53-SA-5(5)Source CodeSP800-53-SA-6Software Usage RestrictionsSP800-53-SA-7User-installed SoftwareSP800-53-SA-8Security and Privacy Engineering PrinciplesSP800-53-SA-8(1)Clear AbstractionsSP800-53-SA-8(2)Least Common MechanismSP800-53-SA-8(3)Modularity and LayeringSP800-53-SA-8(4)Partially Ordered DependenciesSP800-53-SA-8(5)Efficiently Mediated AccessSP800-53-SA-8(6)Minimized SharingSP800-53-SA-8(7)Reduced ComplexitySP800-53-SA-8(8)Secure EvolvabilitySP800-53-SA-8(9)Trusted ComponentsSP800-53-SA-8(10)Hierarchical TrustSP800-53-SA-8(11)Inverse Modification ThresholdSP800-53-SA-8(12)Hierarchical ProtectionSP800-53-SA-8(13)Minimized Security ElementsSP800-53-SA-8(14)Least PrivilegeSP800-53-SA-8(15)Predicate PermissionSP800-53-SA-8(16)Self-reliant TrustworthinessSP800-53-SA-8(17)Secure Distributed CompositionSP800-53-SA-8(18)Trusted Communications ChannelsSP800-53-SA-8(19)Continuous ProtectionSP800-53-SA-8(20)Secure Metadata ManagementSP800-53-SA-8(21)Self-analysisSP800-53-SA-8(22)Accountability and TraceabilitySP800-53-SA-8(23)Secure DefaultsSP800-53-SA-8(24)Secure Failure and RecoverySP800-53-SA-8(25)Economic SecuritySP800-53-SA-8(26)Performance SecuritySP800-53-SA-8(27)Human Factored SecuritySP800-53-SA-8(28)Acceptable SecuritySP800-53-SA-8(29)Repeatable and Documented ProceduresSP800-53-SA-8(30)Procedural RigorSP800-53-SA-8(31)Secure System ModificationSP800-53-SA-8(32)Sufficient DocumentationSP800-53-SA-8(33)MinimizationSP800-53-SA-9External System ServicesSP800-53-SA-9(1)Risk Assessments and Organizational ApprovalsSP800-53-SA-9(2)Identification of Functions, Ports, Protocols, and ServicesSP800-53-SA-9(3)Establish and Maintain Trust Relationship with ProvidersSP800-53-SA-9(4)Consistent Interests of Consumers and ProvidersSP800-53-SA-9(5)Processing, Storage, and Service LocationSP800-53-SA-9(6)Organization-controlled Cryptographic KeysSP800-53-SA-9(7)Organization-controlled Integrity CheckingSP800-53-SA-9(8)Processing and Storage Location — U.S. JurisdictionSP800-53-SA-10Developer Configuration ManagementSP800-53-SA-10(1)Software and Firmware Integrity VerificationSP800-53-SA-10(2)Alternative Configuration Management ProcessesSP800-53-SA-10(3)Hardware Integrity VerificationSP800-53-SA-10(4)Trusted GenerationSP800-53-SA-10(5)Mapping Integrity for Version ControlSP800-53-SA-10(6)Trusted DistributionSP800-53-SA-10(7)Security and Privacy RepresentativesSP800-53-SA-11Developer Testing and EvaluationSP800-53-SA-11(1)Static Code AnalysisSP800-53-SA-11(2)Threat Modeling and Vulnerability AnalysesSP800-53-SA-11(3)Independent Verification of Assessment Plans and EvidenceSP800-53-SA-11(4)Manual Code ReviewsSP800-53-SA-11(5)Penetration TestingSP800-53-SA-11(6)Attack Surface ReviewsSP800-53-SA-11(7)Verify Scope of Testing and EvaluationSP800-53-SA-11(8)Dynamic Code AnalysisSP800-53-SA-11(9)Interactive Application Security TestingSP800-53-SA-12Supply Chain ProtectionSP800-53-SA-12(1)Acquisition Strategies / Tools / MethodsSP800-53-SA-12(2)Supplier ReviewsSP800-53-SA-12(3)Trusted Shipping and WarehousingSP800-53-SA-12(4)Diversity of SuppliersSP800-53-SA-12(5)Limitation of HarmSP800-53-SA-12(6)Minimizing Procurement TimeSP800-53-SA-12(7)Assessments Prior to Selection / Acceptance / UpdateSP800-53-SA-12(8)Use of All-source IntelligenceSP800-53-SA-12(9)Operations SecuritySP800-53-SA-12(10)Validate as Genuine and Not AlteredSP800-53-SA-12(11)Penetration Testing / Analysis of Elements, Processes, and ActorsSP800-53-SA-12(12)Inter-organizational AgreementsSP800-53-SA-12(13)Critical Information System ComponentsSP800-53-SA-12(14)Identity and TraceabilitySP800-53-SA-12(15)Processes to Address Weaknesses or DeficienciesSP800-53-SA-13TrustworthinessSP800-53-SA-14Criticality AnalysisSP800-53-SA-14(1)Critical Components with No Viable Alternative SourcingSP800-53-SA-15Development Process, Standards, and ToolsSP800-53-SA-15(1)Quality MetricsSP800-53-SA-15(2)Security and Privacy Tracking ToolsSP800-53-SA-15(3)Criticality AnalysisSP800-53-SA-15(4)Threat Modeling and Vulnerability AnalysisSP800-53-SA-15(5)Attack Surface ReductionSP800-53-SA-15(6)Continuous ImprovementSP800-53-SA-15(7)Automated Vulnerability AnalysisSP800-53-SA-15(8)Reuse of Threat and Vulnerability InformationSP800-53-SA-15(9)Use of Live DataSP800-53-SA-15(10)Incident Response PlanSP800-53-SA-15(11)Archive System or ComponentSP800-53-SA-15(12)Minimize Personally Identifiable InformationSP800-53-SA-15(13)Logging SyntaxSP800-53-SA-16Developer-provided TrainingSP800-53-SA-17Developer Security and Privacy Architecture and DesignSP800-53-SA-17(1)Formal Policy ModelSP800-53-SA-17(2)Security-relevant ComponentsSP800-53-SA-17(3)Formal CorrespondenceSP800-53-SA-17(4)Informal CorrespondenceSP800-53-SA-17(5)Conceptually Simple DesignSP800-53-SA-17(6)Structure for TestingSP800-53-SA-17(7)Structure for Least PrivilegeSP800-53-SA-17(8)OrchestrationSP800-53-SA-17(9)Design DiversitySP800-53-SA-18Tamper Resistance and DetectionSP800-53-SA-18(1)Multiple Phases of System Development Life CycleSP800-53-SA-18(2)Inspection of Systems or ComponentsSP800-53-SA-19Component AuthenticitySP800-53-SA-19(1)Anti-counterfeit TrainingSP800-53-SA-19(2)Configuration Control for Component Service and RepairSP800-53-SA-19(3)Component DisposalSP800-53-SA-19(4)Anti-counterfeit ScanningSP800-53-SA-20Customized Development of Critical ComponentsSP800-53-SA-21Developer ScreeningSP800-53-SA-21(1)Validation of ScreeningSP800-53-SA-22Unsupported System ComponentsSP800-53-SA-22(1)Alternative Sources for Continued SupportSP800-53-SA-23SpecializationSP800-53-SA-24Design For Cyber Resiliency