NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-21 — Developer Screening
Require that the developer of {{ insert: param, sa-21_odp.01 }}: Has appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }} ; and Satisfies the following additional personnel screening criteria: {{ insert: param, sa-21_odp.03 }}.
Supplemental Guidance
Developer screening is directed at external developers. Internal developer screening is addressed by [PS-3](#ps-3) . Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals who access the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships that the company has with entities that may potentially affect the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements.
Practitioner Notes
Screen developers who will have access to your systems, source code, or development environments. Developers with malicious intent can introduce backdoors, weaken security controls, or exfiltrate sensitive code.
Example 1: Require background screening for all developers — internal and contractor — based on the sensitivity of the systems they will develop or access. Developers working on classified systems need security clearances. Developers working on CUI-related systems need, at minimum, standard background checks.
Example 2: For vendor development teams, require the vendor to certify that all developers assigned to your project have been screened to the appropriate level. Include screening requirements in the contract and the right to verify compliance. For offshore development, understand and document the screening limitations in different jurisdictions.