Which factor does SA-13 primarily address in information security controls?

SA-13 focuses on trustworthiness within the acquisition and management of systems and services. It centers on ensuring that what you acquire—from vendors, developers, and service providers—meets security requirements and can be relied upon to protect the organization. This involves due diligence on supplier security practices, contractual protections, ongoing monitoring, and assurances that third-party components don’t undermine the overall security posture. It’s about the integrity and reliability of outside elements introduced into the environment. This isn’t primarily about how access to resources is controlled, nor about the specific encryption standards used, or about how incidents are detected and handled. Those areas are addressed by other control families, whereas SA-13 is specifically concerned with establishing and maintaining trust throughout the acquisition lifecycle.