NIST 800-53 Rev. 5

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
PT
RA
SA
SC
SI
SR
SA-1
SA-2
SA-3
SA-3(1)
SA-3(2)
SA-3(3)
SA-4
SA-4(1)
SA-4(2)
SA-4(3)
SA-12
SA-4(5)
SA-4(6)
SA-4(7)
SA-4(8)
SA-4(9)
SA-4(10)
SA-4(11)
SA-4(12)
SA-5
SA-12(1)
SA-12(10)
SA-12(11)
SA-12(12)
SA-12(13)
SA-12(14)
SA-12(15)
SA-8
SA-8(1)
SA-8(2)
SA-8(3)
SA-8(4)
SA-8(5)
SA-8(6)
SA-8(7)
SA-8(8)
SA-8(9)
SA-8(10)
SA-8(11)
SA-8(12)
SA-8(13)
SA-8(14)
SA-8(15)
SA-8(16)
SA-8(17)
SA-8(18)
SA-8(19)
SA-8(20)
SA-8(21)
SA-8(22)
SA-8(23)
SA-8(24)
SA-8(25)
SA-8(26)
SA-8(27)
SA-8(28)
SA-8(29)
SA-8(30)
SA-8(31)
SA-8(32)
SA-8(33)
SA-9
SA-9(1)
SA-9(2)
SA-9(3)
SA-9(4)
SA-9(5)
SA-9(6)
SA-9(7)
SA-9(8)
SA-10
SA-10(1)
SA-10(2)
SA-10(3)
SA-10(4)
SA-10(5)
SA-10(6)
SA-10(7)
SA-11
SA-11(1)
SA-11(2)
SA-11(3)
SA-11(4)
SA-11(5)
SA-11(6)
SA-11(7)
SA-11(8)
SA-11(9)
SA-12(2)
SA-12(3)
SA-12(4)
SA-12(5)
SA-12(6)
SA-12(7)
SA-12(8)
SA-12(9)
SA-13
SA-14
SA-14(1)
SA-15(4)
SA-15(9)
SA-18
SA-18(1)
SA-18(2)
SA-19
SA-19(1)
SA-19(2)
SA-15
SA-15(1)
SA-15(2)
SA-15(3)
SA-19(3)
SA-15(5)
SA-15(6)
SA-15(7)
SA-15(8)
SA-19(4)
SA-15(10)
SA-15(11)
SA-15(12)
SA-16
SA-17
SA-17(1)
SA-17(2)
SA-17(3)
SA-17(4)
SA-17(5)
SA-17(6)
SA-17(7)
SA-17(8)
SA-17(9)
SA-21(1)
SA-22(1)
SA-4(4)
SA-5(1)
SA-5(2)
SA-5(3)
SA-5(4)
SA-5(5)
SA-20
SA-21
SA-6
SA-22
SA-7
SA-23

SA-4(12): Acquisition Process | Data Ownership

Control Text:

(a) Include organizational data ownership requirements in the acquisition contract; and (b) Require all data to be removed from the contractor’s system and returned to the organization within [Assignment: organization-defined time frame].

Contractors who operate a system that contains data owned by an organization initiating the contract have policies and procedures in place to remove the data from their systems and/or return the data in a time frame defined by the contract.

Related Controls

  • None