NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-23 — Specialization
Employ {{ insert: param, sa-23_odp.01 }} on {{ insert: param, sa-23_odp.02 }} supporting mission essential services or functions to increase the trustworthiness in those systems or components.
Supplemental Guidance
It is often necessary for a system or system component that supports mission-essential services or functions to be enhanced to maximize the trustworthiness of the resource. Sometimes this enhancement is done at the design level. In other instances, it is done post-design, either through modifications of the system in question or by augmenting the system with additional components. For example, supplemental authentication or non-repudiation functions may be added to the system to enhance the identity of critical resources to other resources that depend on the organization-defined resources.
Practitioner Notes
Specialization means using dedicated, purpose-built components for security functions rather than general-purpose components with security features added on. Specialized tools are typically more effective at their specific function.
Example 1: Use a dedicated Web Application Firewall (WAF) for protecting web applications rather than relying solely on a general-purpose network firewall. A WAF is specifically designed to detect and block web attacks like SQL injection and XSS that a network firewall cannot see.
Example 2: Use a dedicated secrets management service (Azure Key Vault, HashiCorp Vault) for storing API keys, certificates, and passwords rather than general-purpose storage. Specialized secrets managers provide access controls, audit logging, rotation capabilities, and hardware-backed encryption that general storage cannot match.