Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
OSCAL
OSCAL Profiles
FedRAMP Rev 5 High Baseline
SA
SA: System and Services Acquisition
An OSCAL Group
Details
Subcontrols
25
SA-1 - Policy and Procedures
SA-2 - Allocation of Resources
SA-3 - System Development Life Cycle
SA-4 - Acquisition Process
5 Subcontrols
SA-4.1 - Functional Properties of Controls
SA-4.2 - Design and Implementation Information for Controls
SA-4.5 - System, Component, and Service Configurations
SA-4.9 - Functions, Ports, Protocols, and Services in Use
SA-4.10 - Use of Approved PIV Products
SA-5 - System Documentation
SA-8 - Security and Privacy Engineering Principles
SA-9 - External System Services
3 Subcontrols
SA-9.1 - Risk Assessments and Organizational Approvals
SA-9.2 - Identification of Functions, Ports, Protocols, and Services
SA-9.5 - Processing, Storage, and Service Location
SA-10 - Developer Configuration Management
SA-11 - Developer Testing and Evaluation
2 Subcontrols
SA-11.1 - Static Code Analysis
SA-11.2 - Threat Modeling and Vulnerability Analyses
SA-15 - Development Process, Standards, and Tools
1 Subcontrol
SA-15.3 - Criticality Analysis
SA-16 - Developer-provided Training
SA-17 - Developer Security and Privacy Architecture and Design
SA-21 - Developer Screening
SA-22 - Unsupported System Components