SA-10: Developer Configuration Management

Statement

• Require the developer of the system, system component, or system service to:

  • a.

    Perform configuration management during system, component, or service sa-10_odp.01 ;

  • b.

    Document, manage, and control the integrity of changes to configuration items ;

  • c.

    Implement only organization-approved changes to the system, component, or service;

  • d.

    Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and

  • e.

    Track security flaws and flaw resolution within the system, component, or service and report findings to personnel .

  • • (e) Requirement:

      track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP.