| ๐ผ SA-1 Policy and Procedures (L)(M)(H) | | | | |
| ๐ผ SA-2 Allocation of Resources (L)(M)(H) | | | | |
| ๐ผ SA-3 System Development Life Cycle (L)(M)(H) | | | | |
| ๐ผ SA-4 Acquisition Process (L)(M)(H) | 5 | | | |
| ย ย ย ย ๐ผ SA-4(1) Functional Properties of Controls (M)(H) | | | | |
| ย ย ย ย ๐ผ SA-4(2) Design and Implementation Information for Controls (M)(H) | | | | |
| ย ย ย ย ๐ผ SA-4(5) System, Component, and Service Configurations (H) | | | | |
| ย ย ย ย ๐ผ SA-4(9) Functions, Ports, Protocols, and Services in Use (M)(H) | | | | |
| ย ย ย ย ๐ผ SA-4(10) Use of Approved PIV Products (L)(M)(H) | | | | |
| ๐ผ SA-5 System Documentation (L)(M)(H) | | | | |
| ๐ผ SA-8 Security and Privacy Engineering Principles (L)(M)(H) | | | | |
| ๐ผ SA-9 External System Services (L)(M)(H) | 3 | | | |
| ย ย ย ย ๐ผ SA-9(1) Risk Assessments and Organizational Approvals (M)(H) | | | | |
| ย ย ย ย ๐ผ SA-9(2) Identification of Functions, Ports, Protocols, and Services (M)(H) | | | | |
| ย ย ย ย ๐ผ SA-9(5) Processing, Storage, and Service Location (M)(H) | | | 1 | |
| ๐ผ SA-10 Developer Configuration Management (M)(H) | | | | |
| ๐ผ SA-11 Developer Testing and Evaluation (M)(H) | 2 | | | |
| ย ย ย ย ๐ผ SA-11(1) Static Code Analysis (M)(H) | | | | |
| ย ย ย ย ๐ผ SA-11(2) Threat Modeling and Vulnerability Analyses (M)(H) | | | | |
| ๐ผ SA-15 Development Process, Standards, and Tools (M)(H) | 1 | | | |
| ย ย ย ย ๐ผ SA-15(3) Criticality Analysis (M)(H) | | | | |
| ๐ผ SA-16 Developer-provided Training (H) | | | | |
| ๐ผ SA-17 Developer Security and Privacy Architecture and Design (H) | | | | |
| ๐ผ SA-21 Developer Screening (H) | | | | |
| ๐ผ SA-22 Unsupported System Components (L)(M)(H) | | | | |