NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-4(1)Functional Properties of Controls

Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.

Practitioner Notes

Require vendors to describe the functional properties of the security controls implemented in their products or services. You need to know what the controls do in plain terms, not just that they exist.

Example 1: In your procurement requirements, ask vendors to describe how their access controls work: 'The system supports role-based access control with configurable roles, requires MFA for privileged access, and logs all authentication events with timestamps and source IP.' This is more useful than 'the system implements access control.'

Example 2: When evaluating a SaaS product, request the vendor's security whitepaper or architecture documentation that explains their encryption methods (AES-256 at rest, TLS 1.3 in transit), authentication options (SAML, OIDC, SCIM provisioning), and audit logging capabilities in functional terms.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment