FedRAMP Controls / SA
SA-10 Developer Configuration Management
Family SA
Baselines moderate
Mapped KSIs 1
Control statement
Require the developer of the system, system component, or system service to:
a. Perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};
b. Document, manage, and control the integrity of changes to {{ insert: param, sa-10_odp.02 }};
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_odp.03 }}.
(e) Requirement: track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP. Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is
preserved in the catalog database.
Covered by these Key Security Indicators
| KSI | Title | Category |
|---|---|---|
| KSI-TPR-03 | Supply Chain Risk Management _Persistently_ identify, review, and mitigate potential supply chain risks. | Third-Party Information Resources |