NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-20 — Customized Development of Critical Components
Reimplement or custom develop the following critical system components: {{ insert: param, sa-20_odp }}.
Supplemental Guidance
Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to adequately mitigate risk. Reimplementation or custom development of such components may satisfy requirements for higher assurance and is carried out by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed. In situations where no alternative sourcing is available and organizations choose not to reimplement or custom develop critical system components, additional controls can be employed. Controls include enhanced auditing, restrictions on source code and system utility access, and protection from deletion of system and application files.
Practitioner Notes
When standard commercial products cannot meet your security requirements for critical functions, consider custom development. Customized components can be tailored to your exact security needs.
Example 1: Identify functions where commercial off-the-shelf (COTS) products do not meet your security requirements — perhaps due to unique encryption needs, specialized access control requirements, or the need to avoid widely-known products that are common attack targets. In these cases, custom development may reduce risk.
Example 2: If you develop custom critical components, apply the most rigorous development practices: formal code review, extensive testing, independent security assessment, and ongoing vulnerability management. Custom code does not have the broad user base that helps find bugs in popular products, so you need to invest more in your own testing.