NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-4(5)System, Component, and Service Configurations

Require the developer of the system, system component, or system service to: Deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented; and Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed.

Practitioner Notes

Require vendors to deliver systems and components in a secure configuration, not with default settings that need to be hardened after deployment. Secure by default saves time and reduces risk.

Example 1: Include language in contracts requiring vendors to deliver systems configured to DISA STIG, CIS Benchmark, or your organization's hardening standard. Systems should arrive with unnecessary services disabled, default passwords changed, and security features enabled — not in a factory-default state.

Example 2: When procuring cloud services, require the vendor to document their default security configuration and any tenant-configurable security settings. Compare their defaults against your security baseline and identify settings you need to change. In M365, use the Secure Score recommendations as a checklist for proper tenant configuration.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment