| 💼 SA-1 Policy and Procedures (L)(M)(H) | | | | |
| 💼 SA-2 Allocation of Resources (L)(M)(H) | | | | |
| 💼 SA-3 System Development Life Cycle (L)(M)(H) | | | 4 | |
| 💼 SA-4 Acquisition Process (L)(M)(H) | 5 | | | |
|     💼 SA-4(1) Functional Properties of Controls (M)(H) | | | | |
|     💼 SA-4(2) Design and Implementation Information for Controls (M)(H) | | | | |
|     💼 SA-4(5) System, Component, and Service Configurations (H) | | | | |
|     💼 SA-4(9) Functions, Ports, Protocols, and Services in Use (M)(H) | | | | |
|     💼 SA-4(10) Use of Approved PIV Products (L)(M)(H) | | | | |
| 💼 SA-5 System Documentation (L)(M)(H) | | | | |
| 💼 SA-8 Security and Privacy Engineering Principles (L)(M)(H) | | | 6 | |
| 💼 SA-9 External System Services (L)(M)(H) | 3 | | | |
|     💼 SA-9(1) Risk Assessments and Organizational Approvals (M)(H) | | | | |
|     💼 SA-9(2) Identification of Functions, Ports, Protocols, and Services (M)(H) | | | | |
|     💼 SA-9(5) Processing, Storage, and Service Location (M)(H) | | | 1 | |
| 💼 SA-10 Developer Configuration Management (M)(H) | | | 3 | |
| 💼 SA-11 Developer Testing and Evaluation (M)(H) | 2 | | | |
|     💼 SA-11(1) Static Code Analysis (M)(H) | | | | |
|     💼 SA-11(2) Threat Modeling and Vulnerability Analyses (M)(H) | | | | |
| 💼 SA-15 Development Process, Standards, and Tools (M)(H) | 1 | | | |
|     💼 SA-15(3) Criticality Analysis (M)(H) | | | | |
| 💼 SA-16 Developer-provided Training (H) | | | | |
| 💼 SA-17 Developer Security and Privacy Architecture and Design (H) | | | | |
| 💼 SA-21 Developer Screening (H) | | | | |
| 💼 SA-22 Unsupported System Components (L)(M)(H) | | | | |