Red Hat Virtualization Host - System and Services Acquisition

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
SA-1 System And Services Acquisition Policy And Procedures

not applicable

SA-2 Allocation Of Resources

not applicable

SA-3 System Development Life Cycle

not applicable

SA-4 Acquisition Process

not applicable

SA-4 (1) Functional Properties Of Security Controls
SA-4 (2) Design / Implementation Information For Security Controls
SA-4 (3) Development Methods / Techniques / Practices
SA-4 (4) Assignment Of Components To Systems
SA-4 (5) System / Component / Service Configurations
SA-4 (6) Use Of Information Assurance Products
SA-4 (7) Niap-Approved Protection Profiles
SA-4 (8) Continuous Monitoring Plan
SA-4 (9) Functions / Ports / Protocols / Services In Use
SA-4 (10) Use Of Approved Piv Products

not applicable

SA-5 Information System Documentation

complete

SA-5 (1) Functional Properties Of Security Controls
SA-5 (2) Security-Relevant External System Interfaces
SA-5 (3) High-Level Design
SA-5 (4) Low-Level Design
SA-5 (5) Source Code
SA-6 Software Usage Restrictions
SA-7 User-Installed Software
SA-8 Security Engineering Principles
SA-9 External Information System Services
SA-9 (1) Risk Assessments / Organizational Approvals
SA-9 (2) Identification Of Functions / Ports / Protocols / Services
SA-9 (3) Establish / Maintain Trust Relationship With Providers
SA-9 (4) Consistent Interests Of Consumers And Providers
SA-9 (5) Processing, Storage, And Service Location
SA-10 Developer Configuration Management
SA-10 (1) Software / Firmware Integrity Verification
SA-10 (2) Alternative Configuration Management Processes
SA-10 (3) Hardware Integrity Verification
SA-10 (4) Trusted Generation
SA-10 (5) Mapping Integrity For Version Control
SA-10 (6) Trusted Distribution
SA-11 Developer Security Testing And Evaluation
SA-11 (1) Static Code Analysis
SA-11 (2) Threat And Vulnerability Analyses
SA-11 (3) Independent Verification Of Assessment Plans / Evidence
SA-11 (4) Manual Code Reviews
SA-11 (5) Penetration Testing
SA-11 (6) Attack Surface Reviews
SA-11 (7) Verify Scope Of Testing / Evaluation
SA-11 (8) Dynamic Code Analysis
SA-12 Supply Chain Protection
SA-12 (1) Acquisition Strategies / Tools / Methods
SA-12 (2) Supplier Reviews
SA-12 (3) Trusted Shipping And Warehousing
SA-12 (4) Diversity Of Suppliers
SA-12 (5) Limitation Of Harm
SA-12 (6) Minimizing Procurement Time
SA-12 (7) Assessments Prior To Selection / Acceptance / Update
SA-12 (8) Use Of All-Source Intelligence
SA-12 (9) Operations Security
SA-12 (10) Validate As Genuine And Not Altered
SA-12 (11) Penetration Testing / Analysis Of Elements, Processes, And Actors
SA-12 (12) Inter-Organizational Agreements
SA-12 (13) Critical Information System Components
SA-12 (14) Identity And Traceability
SA-12 (15) Processes To Address Weaknesses Or Deficiencies
SA-13 Trustworthiness
SA-14 Criticality Analysis
SA-14 (1) Critical Components With No Viable Alternative Sourcing
SA-15 Development Process, Standards, And Tools
SA-15 (1) Quality Metrics
SA-15 (2) Security Tracking Tools
SA-15 (3) Criticality Analysis
SA-15 (4) Threat Modeling / Vulnerability Analysis
SA-15 (5) Attack Surface Reduction
SA-15 (6) Continuous Improvement
SA-15 (7) Automated Vulnerability Analysis
SA-15 (8) Reuse Of Threat / Vulnerability Information
SA-15 (9) Use Of Live Data
SA-15 (10) Incident Response Plan
SA-15 (11) Archive Information System / Component
SA-16 Developer-Provided Training
SA-17 Developer Security Architecture And Design
SA-17 (1) Formal Policy Model
SA-17 (2) Security-Relevant Components
SA-17 (3) Formal Correspondence
SA-17 (4) Informal Correspondence
SA-17 (5) Conceptually Simple Design
SA-17 (6) Structure For Testing
SA-17 (7) Structure For Least Privilege
SA-18 Tamper Resistance And Detection
SA-18 (1) Multiple Phases Of Sdlc
SA-18 (2) Inspection Of Information Systems, Components, Or Devices
SA-19 Component Authenticity
SA-19 (1) Anti-Counterfeit Training
SA-19 (2) Configuration Control For Component Service / Repair
SA-19 (3) Component Disposal
SA-19 (4) Anti-Counterfeit Scanning
SA-20 Customized Development Of Critical Components
SA-21 Developer Screening
SA-21 (1) Validation Of Screening
SA-22 Unsupported System Components
SA-22 (1) Alternative Sources For Continued Support



SA-1: System And Services Acquisition Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and b. Reviews and updates the current: 1. System and services acquisition policy [Assignment: organization-defined frequency]; and 2. System and services acquisition procedures [Assignment: organization-defined frequency].

SA-1 Control Response Information
Implementation Status:

not applicable

SA-1: What is the solution and how is it implemented?
SA-1(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SA-1(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




SA-2: Allocation Of Resources

The organization: a. Determines information security requirements for the information system or information system service in mission/business process planning; b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and c. Establishes a discrete line item for information security in organizational programming and budgeting documentation.

SA-2 Control Response Information
Implementation Status:

not applicable

SA-2: What is the solution and how is it implemented?
SA-2(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SA-2(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SA-2(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




SA-3: System Development Life Cycle

The organization: a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations; b. Defines and documents information security roles and responsibilities throughout the system development life cycle; c. Identifies individuals having information security roles and responsibilities; and d. Integrates the organizational information security risk management process into system development life cycle activities.

SA-3 Control Response Information
Implementation Status:

not applicable

SA-3: What is the solution and how is it implemented?
SA-3(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SA-3(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SA-3(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SA-3(d):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




SA-4: Acquisition Process

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: a. Security functional requirements; b. Security strength requirements; c. Security assurance requirements; d. Security-related documentation requirements; e. Requirements for protecting security-related documentation; f. Description of the information system development environment and environment in which the system is intended to operate; and g. Acceptance criteria.

SA-4 Control Response Information
Implementation Status:

not applicable

SA-4: What is the solution and how is it implemented?
SA-4(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SA-4(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SA-4(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SA-4(d):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SA-4(e):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SA-4(f):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SA-4(g):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




SA-4 (1): Functional Properties Of Security Controls

“The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.”

SA-4 (1) Control Response Information
Implementation Status:
SA-4 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



SA-4 (2): Design / Implementation Information For Security Controls

“The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail].”

SA-4 (2) Control Response Information
Implementation Status:
SA-4 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



SA-4 (3): Development Methods / Techniques / Practices

“The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes [Assignment: organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes].”

SA-4 (3) Control Response Information
Implementation Status:
SA-4 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



SA-4 (4): Assignment Of Components To Systems

“[Withdrawn: Incorporated into CM-8 (9)].”

SA-4 (4) Control Response Information
Implementation Status:
SA-4 (4): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



SA-4 (5): System / Component / Service Configurations

The organization requires the developer of the information system, system component, or information system service to: (5)(a). Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and (5)(b). Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

SA-4 (5) Control Response Information
Implementation Status:
SA-4 (5): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



SA-4 (6): Use Of Information Assurance Products

The organization: (6)(a). Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and (6)(b). Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.

SA-4 (6) Control Response Information
Implementation Status: