NIST Special Publication 800-53 (Rev. 4)

Security and Privacy Controls for Federal Information Systems and Organizations

SA-20 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS

Family:
System and Services Acquisition
Class:
Priority:
P0 - Unspecified priority.
Baseline Allocation:
Low Moderate High

Control Description

The organization re-implements or custom develops [Assignment: organization-defined critical information system components].

Supplemental Guidance

Organizations determine that certain information system components likely cannot be trusted due to specific threats to and vulnerabilities in those components, and for which there are no viable security controls to adequately mitigate the resulting risk. Re-implementation or custom development of such components helps to satisfy requirements for higher assurance. This is accomplished by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed. In situations where no alternative sourcing is available and organizations choose not to re-implement or custom develop critical information system components, additional safeguards can be employed (e.g., enhanced auditing, restrictions on source code and system utility access, and protection from deletion of system and application files.

Related to: CP-2SA-8SA-14

Control Enhancements

None.

References

None.