NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-4(9) — Functions, Ports, Protocols, and Services in Use
Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.
Supplemental Guidance
The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. [SA-9](#sa-9) describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources.
Practitioner Notes
Require vendors to document all functions, ports, protocols, and services that their products use. You cannot secure what you do not understand, and undocumented network behavior is a risk.
Example 1: Before deploying a new product, require the vendor to provide a complete list of network ports and protocols it requires (e.g., TCP 443 for HTTPS management, UDP 514 for syslog, TCP 8443 for API). Map these against your firewall rules and deny any traffic not explicitly documented and approved.
Example 2: In your procurement checklist, include a requirement for vendors to provide a 'ports and protocols' matrix. After deployment, validate using network monitoring tools (Wireshark, NetFlow analyzers) that the product is only communicating on the documented ports. Any undocumented communication should be investigated and reported to the vendor.