NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-4(6)Use of Information Assurance Products

Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and Ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Commercial off-the-shelf IA or IA-enabled information technology products used to protect classified information by cryptographic means may be required to use NSA-approved key management. See [NSA CSFC](#3d575737-98cb-459d-b41c-d7e82b73ad78).

Practitioner Notes

When acquiring information assurance products (encryption modules, firewalls, intrusion detection systems), use products that have been evaluated and validated by recognized testing programs.

Example 1: For encryption products, require FIPS 140-2 or FIPS 140-3 validation. Check the NIST Cryptographic Module Validation Program (CMVP) list to verify the vendor's certification is current. Include the FIPS validation certificate number in your procurement documentation.

Example 2: For network security products (firewalls, IDS/IPS), check whether they appear on the DoDIN APL (Department of Defense Information Network Approved Products List). Products on the APL have been tested for interoperability and security. Include APL compliance as a procurement requirement for defense contracts.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment