NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-15(11)Archive System or Component

Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Archiving system or system components requires the developer to retain key development artifacts, including hardware specifications, source code, object code, and relevant documentation from the development process that can provide a readily available configuration baseline for system and component upgrades or modifications.

Practitioner Notes

Archive system configurations, code, and documentation when decommissioning systems so that historical information is available for future reference, legal proceedings, or forensic analysis.

Example 1: Before decommissioning a system, create a complete archive: final configuration backup, source code snapshot (tagged in version control), system security plan, all assessment reports, and incident records. Store the archive in a secure, accessible location with a defined retention period.

Example 2: In Azure DevOps, tag the final release of decommissioned projects and archive the repository. Retain build artifacts and deployment logs for the period required by your records retention policy. Document the archive location and contents in your system inventory so future staff can locate it if needed.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment