NIST 800-53 System and Services Acquisition Compliance for Private Mendix Platform
Last modified: June 2, 2026
Introduction
Documents in this section provide more information about Private Mendix Platform's compliance with the System and Services Acquisition (SA) category of the NIST 800-53 security framework. For each applicable control, we have listed which party (Mendix or the customer) is responsible for which component or aspect.
In general, Mendix is responsible for the Private Mendix Platform, Mendix Operator, Mendix Studio Pro, Mendix Runtime, and so on. Customer responsibilities are related to infra and organization processes. For more information, refer to detailed documentation below.
- SA-02 Allocation Of Resources
- SA-03 System Development Life Cycle
- SA-04 - System and Services Acquisition
- SA-04 (01) – Functional Properties of Security Controls
- SA-04 (02) – Design and Implementation Information
- SA-04 (07) - NIAP-Approved Protection Profiles and FIPS-Validated Cryptography
- SA-04 (08) Continuous Monitoring Plan
- SA-04 (09) - Functions, Ports, Protocols, and Services
- SA-04 (10) FIPS 201-Approved PIV Products
- SA-05 - Information System Documentation
- SA-10 - Developer Configuration Management
- SA-10 (01) - Software and Firmware Integrity Verification
- SA-11 (01) - Static Code Analysis
- SA-11 (02) - Threat and Vulnerability Analysis
- SA-11 (08) - Dynamic Code Analysis
- SA-12 - Supply Chain Protection