SA-4 (5) Acquisition Process | System / Component / Service Configurations
The organization requires the developer of the information system, system component, or information system service to:
SA-4 (5)(a): Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and
SA-4 (5)(b): Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.
Applicable CNSSI 1253 Baselines
Confidentiality
- L
- M
- H
Integrity
- L
- M
- H
Availability
- L
- M
- H
Supplemental Guidance
Security configurations include, for example, the U.S. Government Configuration Baseline (USGCB) and any limitations on functions, ports, protocols, and services. Security characteristics include, for example, requiring that all default passwords have been changed.