Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service: Security and privacy functional requirements; Strength of mechanism requirements; Security and privacy assurance requirements; Controls needed to satisfy the security and privacy requirements. Security and privacy documentation requirements; Requirements for protecting security and privacy documentation; Description of the system development environment and environment in which the system is intended to operate; Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and Acceptance criteria.

Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.

Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.

Include {{ insert: param, sa-04.11_odp }} in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.

Include organizational data ownership requirements in the acquisition contract; and Require all data to be removed from the contractor’s system and returned to the organization within {{ insert: param, sa-04.12_odp }}.

Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}.

Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: {{ insert: param, sa-04.03_odp.01 }}; {{ insert: param, sa-04.03_odp.02 }} ; and {{ insert: param, sa-04.03_odp.05 }}.

Require the developer of the system, system component, or system service to: Deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented; and Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and Ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.

Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved.

Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.

Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.