| 💼 SA-1 Policy and Procedures | | | | |
| 💼 SA-2 Allocation of Resources | | | | |
| 💼 SA-3 System Development Life Cycle | 3 | | | |
| 💼 SA-3(1) System Development Life Cycle _ Manage Preproduction Environment | | | | |
| 💼 SA-3(2) System Development Life Cycle _ Use of Live or Operational Data | | | | |
| 💼 SA-3(3) System Development Life Cycle _ Technology Refresh | | | | |
| 💼 SA-4 Acquisition Process | 12 | | | |
| 💼 SA-4(1) Acquisition Process _ Functional Properties of Controls | | | | |
| 💼 SA-4(2) Acquisition Process _ Design and Implementation Information for Controls | | | | |
| 💼 SA-4(3) Acquisition Process _ Development Methods, Techniques, and Practices | | | | |
| 💼 SA-4(4) Acquisition Process _ Assignment of Components to Systems | | | | |
| 💼 SA-4(5) Acquisition Process _ System, Component, and Service Configurations | | | | |
| 💼 SA-4(6) Acquisition Process _ Use of Information Assurance Products | | | | |
| 💼 SA-4(7) Acquisition Process _ NIAP-approved Protection Profiles | | | | |
| 💼 SA-4(8) Acquisition Process _ Continuous Monitoring Plan for Controls | | | | |
| 💼 SA-4(9) Acquisition Process _ Functions, Ports, Protocols, and Services in Use | | | | |
| 💼 SA-4(10) Acquisition Process _ Use of Approved PIV Products | | | | |
| 💼 SA-4(11) Acquisition Process _ System of Records | | | | |
| 💼 SA-4(12) Acquisition Process _ Data Ownership | | | | |
| 💼 SA-5 System Documentation | 5 | | | |
| 💼 SA-5(1) System Documentation _ Functional Properties of Security Controls | | | | |
| 💼 SA-5(2) System Documentation _ Security-relevant External System Interfaces | | | | |
| 💼 SA-5(3) System Documentation _ High-level Design | | | | |
| 💼 SA-5(4) System Documentation _ Low-level Design | | | | |
| 💼 SA-5(5) System Documentation _ Source Code | | | | |
| 💼 SA-6 Software Usage Restrictions | | | | |
| 💼 SA-7 User-installed Software | | | | |
| 💼 SA-8 Security and Privacy Engineering Principles | 33 | | | |
| 💼 SA-8(1) Security and Privacy Engineering Principles _ Clear Abstractions | | | | |
| 💼 SA-8(2) Security and Privacy Engineering Principles _ Least Common Mechanism | | | | |
| 💼 SA-8(3) Security and Privacy Engineering Principles _ Modularity and Layering | | | | |
| 💼 SA-8(4) Security and Privacy Engineering Principles _ Partially Ordered Dependencies | | | | |
| 💼 SA-8(5) Security and Privacy Engineering Principles _ Efficiently Mediated Access | | | | |
| 💼 SA-8(6) Security and Privacy Engineering Principles _ Minimized Sharing | | | | |
| 💼 SA-8(7) Security and Privacy Engineering Principles _ Reduced Complexity | | | | |
| 💼 SA-8(8) Security and Privacy Engineering Principles _ Secure Evolvability | | | | |
| 💼 SA-8(9) Security and Privacy Engineering Principles _ Trusted Components | | | | |
| 💼 SA-8(10) Security and Privacy Engineering Principles _ Hierarchical Trust | | | | |
| 💼 SA-8(11) Security and Privacy Engineering Principles _ Inverse Modification Threshold | | | | |
| 💼 SA-8(12) Security and Privacy Engineering Principles _ Hierarchical Protection | | | | |
| 💼 SA-8(13) Security and Privacy Engineering Principles _ Minimized Security Elements | | | | |
| 💼 SA-8(14) Security and Privacy Engineering Principles _ Least Privilege | | | | |
| 💼 SA-8(15) Security and Privacy Engineering Principles _ Predicate Permission | | | | |
| 💼 SA-8(16) Security and Privacy Engineering Principles _ Self-reliant Trustworthiness | | | | |
| 💼 SA-8(17) Security and Privacy Engineering Principles _ Secure Distributed Composition | | | | |
| 💼 SA-8(18) Security and Privacy Engineering Principles _ Trusted Communications Channels | | | | |
| 💼 SA-8(19) Security and Privacy Engineering Principles _ Continuous Protection | | | | |
| 💼 SA-8(20) Security and Privacy Engineering Principles _ Secure Metadata Management | | | | |
| 💼 SA-8(21) Security and Privacy Engineering Principles _ Self-analysis | | | | |
| 💼 SA-8(22) Security and Privacy Engineering Principles _ Accountability and Traceability | | | 1 | |
| 💼 SA-8(23) Security and Privacy Engineering Principles _ Secure Defaults | | | | |
| 💼 SA-8(24) Security and Privacy Engineering Principles _ Secure Failure and Recovery | | | | |
| 💼 SA-8(25) Security and Privacy Engineering Principles _ Economic Security | | | | |
| 💼 SA-8(26) Security and Privacy Engineering Principles _ Performance Security | | | | |
| 💼 SA-8(27) Security and Privacy Engineering Principles _ Human Factored Security | | | | |
| 💼 SA-8(28) Security and Privacy Engineering Principles _ Acceptable Security | | | | |
| 💼 SA-8(29) Security and Privacy Engineering Principles _ Repeatable and Documented Procedures | | | | |
| 💼 SA-8(30) Security and Privacy Engineering Principles _ Procedural Rigor | | | | |
| 💼 SA-8(31) Security and Privacy Engineering Principles _ Secure System Modification | | | | |
| 💼 SA-8(32) Security and Privacy Engineering Principles _ Sufficient Documentation | | | | |
| 💼 SA-8(33) Security and Privacy Engineering Principles _ Minimization | | | | |
| 💼 SA-9 External System Services | 8 | | | |
| 💼 SA-9(1) External System Services _ Risk Assessments and Organizational Approvals | | | | |
| 💼 SA-9(2) External System Services _ Identification of Functions, Ports, Protocols, and Services | | | | |
| 💼 SA-9(3) External System Services _ Establish and Maintain Trust Relationship with Providers | | | | |
| 💼 SA-9(4) External System Services _ Consistent Interests of Consumers and Providers | | | | |
| 💼 SA-9(5) External System Services _ Processing, Storage, and Service Location | | 1 | 1 | |
| 💼 SA-9(6) External System Services _ Organization-controlled Cryptographic Keys | | | | |
| 💼 SA-9(7) External System Services _ Organization-controlled Integrity Checking | | | | |
| 💼 SA-9(8) External System Services _ Processing and Storage Location — U.S. Jurisdiction | | | | |
| 💼 SA-10 Developer Configuration Management | 7 | | | |
| 💼 SA-10(1) Developer Configuration Management _ Software and Firmware Integrity Verification | | | | |
| 💼 SA-10(2) Developer Configuration Management _ Alternative Configuration Management Processes | | | | |
| 💼 SA-10(3) Developer Configuration Management _ Hardware Integrity Verification | | | | |
| 💼 SA-10(4) Developer Configuration Management _ Trusted Generation | | | | |
| 💼 SA-10(5) Developer Configuration Management _ Mapping Integrity for Version Control | | | | |
| 💼 SA-10(6) Developer Configuration Management _ Trusted Distribution | | | | |
| 💼 SA-10(7) Developer Configuration Management _ Security and Privacy Representatives | | | | |
| 💼 SA-11 Developer Testing and Evaluation | 9 | | | |
| 💼 SA-11(1) Developer Testing and Evaluation _ Static Code Analysis | | | | |
| 💼 SA-11(2) Developer Testing and Evaluation _ Threat Modeling and Vulnerability Analyses | | | | |
| 💼 SA-11(3) Developer Testing and Evaluation _ Independent Verification of Assessment Plans and Evidence | | | | |
| 💼 SA-11(4) Developer Testing and Evaluation _ Manual Code Reviews | | | | |
| 💼 SA-11(5) Developer Testing and Evaluation _ Penetration Testing | | | | |
| 💼 SA-11(6) Developer Testing and Evaluation _ Attack Surface Reviews | | | | |
| 💼 SA-11(7) Developer Testing and Evaluation _ Verify Scope of Testing and Evaluation | | | | |
| 💼 SA-11(8) Developer Testing and Evaluation _ Dynamic Code Analysis | | | | |
| 💼 SA-11(9) Developer Testing and Evaluation _ Interactive Application Security Testing | | | | |
| 💼 SA-12 Supply Chain Protection | 15 | | | |
| 💼 SA-12(1) Supply Chain Protection _ Acquisition Strategies / Tools / Methods | | | | |
| 💼 SA-12(2) Supply Chain Protection _ Supplier Reviews | | | | |
| 💼 SA-12(3) Supply Chain Protection _ Trusted Shipping and Warehousing | | | | |
| 💼 SA-12(4) Supply Chain Protection _ Diversity of Suppliers | | | | |
| 💼 SA-12(5) Supply Chain Protection _ Limitation of Harm | | | | |
| 💼 SA-12(6) Supply Chain Protection _ Minimizing Procurement Time | | | | |
| 💼 SA-12(7) Supply Chain Protection _ Assessments Prior to Selection / Acceptance / Update | | | | |
| 💼 SA-12(8) Supply Chain Protection _ Use of All-source Intelligence | | | | |
| 💼 SA-12(9) Supply Chain Protection _ Operations Security | | | | |
| 💼 SA-12(10) Supply Chain Protection _ Validate as Genuine and Not Altered | | | | |
| 💼 SA-12(11) Supply Chain Protection _ Penetration Testing / Analysis of Elements, Processes, and Actors | | | | |
| 💼 SA-12(12) Supply Chain Protection _ Inter-organizational Agreements | | | | |
| 💼 SA-12(13) Supply Chain Protection _ Critical Information System Components | | | | |
| 💼 SA-12(14) Supply Chain Protection _ Identity and Traceability | | | | |
| 💼 SA-12(15) Supply Chain Protection _ Processes to Address Weaknesses or Deficiencies | | | | |
| 💼 SA-13 Trustworthiness | | | | |
| 💼 SA-14 Criticality Analysis | 1 | | | |
| 💼 SA-14(1) Criticality Analysis _ Critical Components with No Viable Alternative Sourcing | | | | |
| 💼 SA-15 Development Process, Standards, and Tools | 12 | | | |
| 💼 SA-15(1) Development Process, Standards, and Tools _ Quality Metrics | | | | |
| 💼 SA-15(2) Development Process, Standards, and Tools _ Security and Privacy Tracking Tools | | | | |
| 💼 SA-15(3) Development Process, Standards, and Tools _ Criticality Analysis | | | | |
| 💼 SA-15(4) Development Process, Standards, and Tools _ Threat Modeling and Vulnerability Analysis | | | | |
| 💼 SA-15(5) Development Process, Standards, and Tools _ Attack Surface Reduction | | | | |
| 💼 SA-15(6) Development Process, Standards, and Tools _ Continuous Improvement | | | | |
| 💼 SA-15(7) Development Process, Standards, and Tools _ Automated Vulnerability Analysis | | | | |
| 💼 SA-15(8) Development Process, Standards, and Tools _ Reuse of Threat and Vulnerability Information | | | | |
| 💼 SA-15(9) Development Process, Standards, and Tools _ Use of Live Data | | | | |
| 💼 SA-15(10) Development Process, Standards, and Tools _ Incident Response Plan | | | | |
| 💼 SA-15(11) Development Process, Standards, and Tools _ Archive System or Component | | | | |
| 💼 SA-15(12) Development Process, Standards, and Tools _ Minimize Personally Identifiable Information | | | | |
| 💼 SA-16 Developer-provided Training | | | | |
| 💼 SA-17 Developer Security and Privacy Architecture and Design | 9 | | | |
| 💼 SA-17(1) Developer Security and Privacy Architecture and Design _ Formal Policy Model | | | | |
| 💼 SA-17(2) Developer Security and Privacy Architecture and Design _ Security-relevant Components | | | | |
| 💼 SA-17(3) Developer Security and Privacy Architecture and Design _ Formal Correspondence | | | | |
| 💼 SA-17(4) Developer Security and Privacy Architecture and Design _ Informal Correspondence | | | | |
| 💼 SA-17(5) Developer Security and Privacy Architecture and Design _ Conceptually Simple Design | | | | |
| 💼 SA-17(6) Developer Security and Privacy Architecture and Design _ Structure for Testing | | | | |
| 💼 SA-17(7) Developer Security and Privacy Architecture and Design _ Structure for Least Privilege | | | | |
| 💼 SA-17(8) Developer Security and Privacy Architecture and Design _ Orchestration | | | | |
| 💼 SA-17(9) Developer Security and Privacy Architecture and Design _ Design Diversity | | | | |
| 💼 SA-18 Tamper Resistance and Detection | 2 | | | |
| 💼 SA-18(1) Tamper Resistance and Detection _ Multiple Phases of System Development Life Cycle | | | | |
| 💼 SA-18(2) Tamper Resistance and Detection _ Inspection of Systems or Components | | | | |
| 💼 SA-19 Component Authenticity | 4 | | | |
| 💼 SA-19(1) Component Authenticity _ Anti-counterfeit Training | | | | |
| 💼 SA-19(2) Component Authenticity _ Configuration Control for Component Service and Repair | | | | |
| 💼 SA-19(3) Component Authenticity _ Component Disposal | | | | |
| 💼 SA-19(4) Component Authenticity _ Anti-counterfeit Scanning | | | | |
| 💼 SA-20 Customized Development of Critical Components | | | | |
| 💼 SA-21 Developer Screening | 1 | | | |
| 💼 SA-21(1) Developer Screening _ Validation of Screening | | | | |
| 💼 SA-22 Unsupported System Components | 1 | | | |
| 💼 SA-22(1) Unsupported System Components _ Alternative Sources for Continued Support | | | | |
| 💼 SA-23 Specialization | | | | |