NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-10(7) — Security and Privacy Representatives
Require {{ insert: param, sa-10.7_prm_1 }} to be included in the {{ insert: param, sa-10.7_prm_2 }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Information security and privacy representatives can include system security officers, senior agency information security officers, senior agency officials for privacy, and system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change management and control process in this control enhancement refers to the change management and control process defined by organizations in [SA-10b](#sa-10_smt.b).
Practitioner Notes
Include security and privacy representatives in the development team so that security considerations are part of the development process, not a last-minute review.
Example 1: Assign a security champion to every development team. This person participates in design reviews, user story grooming, and code reviews with a security lens. They do not replace the security team but ensure security is considered during daily development activities.
Example 2: Include a privacy engineer or privacy point of contact in projects that handle PII. This person reviews data collection plans, ensures privacy by design principles are followed, and validates that the implementation matches the approved Privacy Impact Assessment.