Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SA

SA-4Acquisition Process

Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service: Security and privacy functional requirements; Strength of mechanism requirements; Security and privacy assurance requirements; Controls needed to satisfy the security and privacy requirements. Security and privacy documentation requirements; Requirements for protecting security and privacy documentation; Description of the system development environment and environment in which the system is intended to operate; Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and Acceptance criteria.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 15 mapping(s) from 3 framework(s): CSF 2.0 7 (mostly) · ASVS 5.0 7 (partial) · OWASP-Web 1 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (6)

Weaknesses this control addresses (7)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-798Use of Hard-coded Credentials2,013Requiring security functional requirements and acceptance criteria allows contracts to prohibit hard-coded credentials in delivered systems or components.
CWE-1188Initialization of a Resource with an Insecure Default335Mandating secure configuration and initialization requirements in the acquisition process prevents delivery of products that initialize resources with insecure defaults.
CWE-321Use of Hard-coded Cryptographic Key302Functional and assurance requirements specified in acquisition can prohibit hard-coded cryptographic keys in delivered products.
CWE-829Inclusion of Functionality from Untrusted Control Sphere298Allocation of supply-chain risk management responsibilities and vetting of the development/operational environment reduce inclusion of functionality from untrusted control spheres.
CWE-494Download of Code Without Integrity Check252Requiring integrity-protection mechanisms and assurance requirements in contracts prevents acquisition of code-download features lacking integrity checks.
CWE-1392Use of Default Credentials104Security functional requirements and acceptance criteria can stipulate that acquired systems must not use default credentials.
CWE-1104Use of Unmaintained Third Party Components21Explicit supply-chain risk management and acceptance criteria in acquisition contracts directly reduce procurement of unmaintained third-party components.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family SA

SA-1 SA-10 SA-11 SA-12 SA-13 SA-14 SA-15 SA-16 SA-17 SA-18 SA-19 SA-2 SA-20 SA-21 SA-22 SA-23 SA-24 SA-3 SA-5 SA-6 SA-7 SA-8 SA-9