| ๐ผ SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES | | | | |
| ๐ผ SA-2 ALLOCATION OF RESOURCES | | | | |
| ๐ผ SA-3 SYSTEM DEVELOPMENT LIFE CYCLE | | | | |
| ๐ผ SA-4 ACQUISITION PROCESS | 10 | | | |
| ๐ผ SA-4 (1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS | | | | |
| ๐ผ SA-4 (2) DESIGN _ IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS | | | | |
| ๐ผ SA-4 (3) DEVELOPMENT METHODS _ TECHNIQUES _ PRACTICES | | | | |
| ๐ผ SA-4 (4) ASSIGNMENT OF COMPONENTS TO SYSTEMS | | | | |
| ๐ผ SA-4 (5) SYSTEM _ COMPONENT _ SERVICE CONFIGURATIONS | | | | |
| ๐ผ SA-4 (6) USE OF INFORMATION ASSURANCE PRODUCTS | | | | |
| ๐ผ SA-4 (7) NIAP-APPROVED PROTECTION PROFILES | | | | |
| ๐ผ SA-4 (8) CONTINUOUS MONITORING PLAN | | | | |
| ๐ผ SA-4 (9) FUNCTIONS _ PORTS _ PROTOCOLS _ SERVICES IN USE | | | | |
| ๐ผ SA-4 (10) USE OF APPROVED PIV PRODUCTS | | | | |
| ๐ผ SA-5 INFORMATION SYSTEM DOCUMENTATION | 5 | | | |
| ๐ผ SA-5 (1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS | | | | |
| ๐ผ SA-5 (2) SECURITY-RELEVANT EXTERNAL SYSTEM INTERFACES | | | | |
| ๐ผ SA-5 (3) HIGH-LEVEL DESIGN | | | | |
| ๐ผ SA-5 (4) LOW-LEVEL DESIGN | | | | |
| ๐ผ SA-5 (5) SOURCE CODE | | | | |
| ๐ผ SA-6 SOFTWARE USAGE RESTRICTIONS | | | | |
| ๐ผ SA-7 USER-INSTALLED SOFTWARE | | | | |
| ๐ผ SA-8 SECURITY ENGINEERING PRINCIPLES | | | | |
| ๐ผ SA-9 EXTERNAL INFORMATION SYSTEM SERVICES | 5 | | | |
| ๐ผ SA-9 (1) RISK ASSESSMENTS _ ORGANIZATIONAL APPROVALS | | | | |
| ๐ผ SA-9 (2) IDENTIFICATION OF FUNCTIONS _ PORTS _ PROTOCOLS _ SERVICES | | | | |
| ๐ผ SA-9 (3) ESTABLISH _ MAINTAIN TRUST RELATIONSHIP WITH PROVIDERS | | | | |
| ๐ผ SA-9 (4) CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS | | | | |
| ๐ผ SA-9 (5) PROCESSING, STORAGE, AND SERVICE LOCATION | | | | |
| ๐ผ SA-10 DEVELOPER CONFIGURATION MANAGEMENT | 6 | | | |
| ๐ผ SA-10 (1) SOFTWARE _ FIRMWARE INTEGRITY VERIFICATION | | | | |
| ๐ผ SA-10 (2) ALTERNATIVE CONFIGURATION MANAGEMENT PROCESSES | | | | |
| ๐ผ SA-10 (3) HARDWARE INTEGRITY VERIFICATION | | | | |
| ๐ผ SA-10 (4) TRUSTED GENERATION | | | | |
| ๐ผ SA-10 (5) MAPPING INTEGRITY FOR VERSION CONTROL | | | | |
| ๐ผ SA-10 (6) TRUSTED DISTRIBUTION | | | | |
| ๐ผ SA-11 DEVELOPER SECURITY TESTING AND EVALUATION | 8 | | | |
| ๐ผ SA-11 (1) STATIC CODE ANALYSIS | | | | |
| ๐ผ SA-11 (2) THREAT AND VULNERABILITY ANALYSES | | | | |
| ๐ผ SA-11 (3) INDEPENDENT VERIFICATION OF ASSESSMENT PLANS _ EVIDENCE | | | | |
| ๐ผ SA-11 (4) MANUAL CODE REVIEWS | | | | |
| ๐ผ SA-11 (5) PENETRATION TESTING | | | | |
| ๐ผ SA-11 (6) ATTACK SURFACE REVIEWS | | | | |
| ๐ผ SA-11 (7) VERIFY SCOPE OF TESTING _ EVALUATION | | | | |
| ๐ผ SA-11 (8) DYNAMIC CODE ANALYSIS | | | | |
| ๐ผ SA-12 SUPPLY CHAIN PROTECTION | 15 | | | |
| ๐ผ SA-12 (1) ACQUISITION STRATEGIES _ TOOLS _ METHODS | | | | |
| ๐ผ SA-12 (2) SUPPLIER REVIEWS | | | | |
| ๐ผ SA-12 (3) TRUSTED SHIPPING AND WAREHOUSING | | | | |
| ๐ผ SA-12 (4) DIVERSITY OF SUPPLIERS | | | | |
| ๐ผ SA-12 (5) LIMITATION OF HARM | | | | |
| ๐ผ SA-12 (6) MINIMIZING PROCUREMENT TIME | | | | |
| ๐ผ SA-12 (7) ASSESSMENTS PRIOR TO SELECTION _ ACCEPTANCE _ UPDATE | | | | |
| ๐ผ SA-12 (8) USE OF ALL-SOURCE INTELLIGENCE | | | | |
| ๐ผ SA-12 (9) OPERATIONS SECURITY | | | | |
| ๐ผ SA-12 (10) VALIDATE AS GENUINE AND NOT ALTERED | | | | |
| ๐ผ SA-12 (11) PENETRATION TESTING _ ANALYSIS OF ELEMENTS, PROCESSES, AND ACTORS | | | | |
| ๐ผ SA-12 (12) INTER-ORGANIZATIONAL AGREEMENTS | | | | |
| ๐ผ SA-12 (13) CRITICAL INFORMATION SYSTEM COMPONENTS | | | | |
| ๐ผ SA-12 (14) IDENTITY AND TRACEABILITY | | | | |
| ๐ผ SA-12 (15) PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIES | | | | |
| ๐ผ SA-13 TRUSTWORTHINESS | | | | |
| ๐ผ SA-14 CRITICALITY ANALYSIS | 1 | | | |
| ๐ผ SA-14 (1) CRITICAL COMPONENTS WITH NO VIABLE ALTERNATIVE SOURCING | | | | |
| ๐ผ SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | 11 | | | |
| ๐ผ SA-15 (1) QUALITY METRICS | | | | |
| ๐ผ SA-15 (2) SECURITY TRACKING TOOLS | | | | |
| ๐ผ SA-15 (3) CRITICALITY ANALYSIS | | | | |
| ๐ผ SA-15 (4) THREAT MODELING _ VULNERABILITY ANALYSIS | | | | |
| ๐ผ SA-15 (5) ATTACK SURFACE REDUCTION | | | | |
| ๐ผ SA-15 (6) CONTINUOUS IMPROVEMENT | | | | |
| ๐ผ SA-15 (7) AUTOMATED VULNERABILITY ANALYSIS | | | | |
| ๐ผ SA-15 (8) REUSE OF THREAT _ VULNERABILITY INFORMATION | | | | |
| ๐ผ SA-15 (9) USE OF LIVE DATA | | | | |
| ๐ผ SA-15 (10) INCIDENT RESPONSE PLAN | | | | |
| ๐ผ SA-15 (11) ARCHIVE INFORMATION SYSTEM _ COMPONENT | | | | |
| ๐ผ SA-16 DEVELOPER-PROVIDED TRAINING | | | | |
| ๐ผ SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN | 7 | | | |
| ๐ผ SA-17 (1) FORMAL POLICY MODEL | | | | |
| ๐ผ SA-17 (2) SECURITY-RELEVANT COMPONENTS | | | | |
| ๐ผ SA-17 (3) FORMAL CORRESPONDENCE | | | | |
| ๐ผ SA-17 (4) INFORMAL CORRESPONDENCE | | | | |
| ๐ผ SA-17 (5) CONCEPTUALLY SIMPLE DESIGN | | | | |
| ๐ผ SA-17 (6) STRUCTURE FOR TESTING | | | | |
| ๐ผ SA-17 (7) STRUCTURE FOR LEAST PRIVILEGE | | | | |
| ๐ผ SA-18 TAMPER RESISTANCE AND DETECTION | 2 | | | |
| ๐ผ SA-18 (1) MULTIPLE PHASES OF SDLC | | | | |
| ๐ผ SA-18 (2) INSPECTION OF INFORMATION SYSTEMS, COMPONENTS, OR DEVICES | | | | |
| ๐ผ SA-19 COMPONENT AUTHENTICITY | 4 | | | |
| ๐ผ SA-19 (1) ANTI-COUNTERFEIT TRAINING | | | | |
| ๐ผ SA-19 (2) CONFIGURATION CONTROL FOR COMPONENT SERVICE _ REPAIR | | | | |
| ๐ผ SA-19 (3) COMPONENT DISPOSAL | | | | |
| ๐ผ SA-19 (4) ANTI-COUNTERFEIT SCANNING | | | | |
| ๐ผ SA-20 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS | | | | |
| ๐ผ SA-21 DEVELOPER SCREENING | 1 | | | |
| ๐ผ SA-21 (1) VALIDATION OF SCREENING | | | | |
| ๐ผ SA-22 UNSUPPORTED SYSTEM COMPONENTS | 1 | | | |
| ๐ผ SA-22 (1) ALTERNATIVE SOURCES FOR CONTINUED SUPPORT | | | | |