Red Hat Virtualization Manager - System and Services Acquisition

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
SA-1 System And Services Acquisition Policy And Procedures

not applicable

SA-2 Allocation Of Resources

not applicable

SA-3 System Development Life Cycle

not applicable

SA-4 Acquisition Process

not applicable

SA-4 (1) Functional Properties Of Security Controls

planned

SA-4 (2) Design / Implementation Information For Security Controls

planned

SA-4 (3) Development Methods / Techniques / Practices

planned

SA-4 (4) Assignment Of Components To Systems

not applicable

SA-4 (5) System / Component / Service Configurations

planned

SA-4 (6) Use Of Information Assurance Products

planned

SA-4 (7) Niap-Approved Protection Profiles

planned

SA-4 (8) Continuous Monitoring Plan

planned

SA-4 (9) Functions / Ports / Protocols / Services In Use

planned

SA-4 (10) Use Of Approved Piv Products

not applicable

SA-5 Information System Documentation

not applicable

SA-5 (1) Functional Properties Of Security Controls

not applicable

SA-5 (2) Security-Relevant External System Interfaces

not applicable

SA-5 (3) High-Level Design

not applicable

SA-5 (4) Low-Level Design

not applicable

SA-5 (5) Source Code

not applicable

SA-6 Software Usage Restrictions

not applicable

SA-7 User-Installed Software

not applicable

SA-8 Security Engineering Principles

not applicable

SA-9 External Information System Services

not applicable

SA-9 (1) Risk Assessments / Organizational Approvals

not applicable

SA-9 (2) Identification Of Functions / Ports / Protocols / Services

not applicable

SA-9 (3) Establish / Maintain Trust Relationship With Providers

not applicable

SA-9 (4) Consistent Interests Of Consumers And Providers

not applicable

SA-9 (5) Processing, Storage, And Service Location

not applicable

SA-10 Developer Configuration Management

planned

SA-10 (1) Software / Firmware Integrity Verification

planned

SA-10 (2) Alternative Configuration Management Processes

not applicable

SA-10 (3) Hardware Integrity Verification

planned

SA-10 (4) Trusted Generation

planned

SA-10 (5) Mapping Integrity For Version Control

planned

SA-10 (6) Trusted Distribution

planned

SA-11 Developer Security Testing And Evaluation

planned

SA-11 (1) Static Code Analysis

planned

SA-11 (2) Threat And Vulnerability Analyses

planned

SA-11 (3) Independent Verification Of Assessment Plans / Evidence

not applicable

SA-11 (4) Manual Code Reviews

planned

SA-11 (5) Penetration Testing

planned

SA-11 (6) Attack Surface Reviews

planned

SA-11 (7) Verify Scope Of Testing / Evaluation

planned

SA-11 (8) Dynamic Code Analysis

planned

SA-12 Supply Chain Protection

planned

SA-12 (1) Acquisition Strategies / Tools / Methods

not applicable

SA-12 (2) Supplier Reviews

not applicable

SA-12 (3) Trusted Shipping And Warehousing

not applicable

SA-12 (4) Diversity Of Suppliers

not applicable

SA-12 (5) Limitation Of Harm

not applicable

SA-12 (6) Minimizing Procurement Time

not applicable

SA-12 (7) Assessments Prior To Selection / Acceptance / Update

not applicable

SA-12 (8) Use Of All-Source Intelligence

not applicable

SA-12 (9) Operations Security

not applicable

SA-12 (10) Validate As Genuine And Not Altered

not applicable

SA-12 (11) Penetration Testing / Analysis Of Elements, Processes, And Actors

not applicable

SA-12 (12) Inter-Organizational Agreements

not applicable

SA-12 (13) Critical Information System Components

not applicable

SA-12 (14) Identity And Traceability

not applicable

SA-12 (15) Processes To Address Weaknesses Or Deficiencies

not applicable

SA-13 Trustworthiness

not applicable

SA-14 Criticality Analysis

not applicable

SA-14 (1) Critical Components With No Viable Alternative Sourcing

not applicable

SA-15 Development Process, Standards, And Tools

planned

SA-15 (1) Quality Metrics

planned

SA-15 (2) Security Tracking Tools

planned

SA-15 (3) Criticality Analysis

planned

SA-15 (4) Threat Modeling / Vulnerability Analysis

not applicable

SA-15 (5) Attack Surface Reduction

planned

SA-15 (6) Continuous Improvement

planned

SA-15 (7) Automated Vulnerability Analysis

planned

SA-15 (8) Reuse Of Threat / Vulnerability Information

planned

SA-15 (9) Use Of Live Data

not applicable

SA-15 (10) Incident Response Plan

planned

SA-15 (11) Archive Information System / Component

planned

SA-16 Developer-Provided Training