SA-4(11): System of Records

SA-4(11): System of Records requirement means you must put explicit “system of records” privacy and records-handling obligations into any acquisition contract where a third party will operate a system of records for your mission. Operationalize it by identifying affected contracts, adding the required clause package, and retaining evidence that the clauses are present and enforced. ¹

Key takeaways:

• Treat SA-4(11) as a contracting control: your primary control action is clause insertion and flowdown to relevant subcontractors. ²
• Build a repeatable intake: “Will this third party operate a system of records?” drives whether SA-4(11) clauses are mandatory.
• Audit readiness is evidence-driven: exam teams will ask for executed contracts, clause matrices, and proof the requirement is embedded in procurement workflows.

The sa-4(11): system of records requirement sits in NIST SP 800-53’s System and Services Acquisition (SA) family, so it behaves differently from technical controls. You do not “configure” SA-4(11). You contract it, then you prove that procurement consistently applies it when a third party operates a system of records for your organization’s mission.

The requirement is easy to misunderstand because “system of records” is often treated as a privacy office term, while SA controls often live with security or procurement. That split is where programs fail: a contract gets signed before anyone flags that the third party will operate a system that maintains records about individuals, and now you are trying to retrofit privacy and records obligations after go-live.

This page gives you requirement-level implementation guidance you can execute fast: how to scope applicability, how to embed the required contract language, how to make the workflow stick, and what evidence to retain so an assessor can validate operation, not just intent. The goal is simple: every eligible contract contains the required SA-4(11) language, and you can prove it. ²

Regulatory text

Requirement (verbatim): “Include {{ insert: param, sa-04.11_odp }} in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.” ¹

What the operator must do

1. Determine whether the acquisition is for operation of a system of records (not just software licensing or incidental support).
2. Insert the organization-defined SA-4(11) contract language (the “ODP” parameter in the NIST text is where your organization specifies the exact clause content).
3. Ensure the contract actually governs performance, including flowdown where subcontractors will perform system-of-records operations.
4. Retain evidence that the clause package is present in executed agreements and that procurement uses a repeatable mechanism to include it. ²

Plain-English interpretation

If a third party will run a system that holds records about individuals on your behalf as part of your mission, your contract must explicitly require the third party to handle those records under your defined rules. SA-4(11) is less about drafting pretty language and more about making sure your privacy, records management, and security expectations are legally binding before the third party starts operations.

Practically, this becomes a procurement gate:

• No clause, no award for in-scope engagements.
• No clause flowdown, no subcontracting for in-scope operations.
• No executed agreement on file, no audit pass for SA-4(11).

Who it applies to (entity and operational context)

SA-4(11) applies when:

• You are a federal organization operating federal information systems, or
• You are a contractor operating systems handling federal data, and your contracting chain requires alignment to NIST SP 800-53 controls. ²

Operational contexts that commonly trigger SA-4(11):

• A third party hosts and operates a case management system containing records about individuals.
• A managed service provider runs operations (admin, monitoring, backups, account management) for an HR, benefits, or identity system containing individual records.
• A BPO provider operates a workflow platform that stores individual-level records and uses them to deliver a mission function.

Contexts that are often not SA-4(11) by themselves (still evaluate):

• Buying SaaS where the provider is the controller of the service but you are not delegating “operation on behalf of your mission” in a system-of-records sense.
• Pure staff augmentation where your organization operates the system and contractors only support under your direct supervision.

Your scoping decision must be written down and repeatable. Auditors will not accept “we just know.” ²

What you actually need to do (step-by-step)

Step 1: Define your SA-4(11) clause package (the ODP)

SA-4(11) explicitly expects organization-defined content (“ODP”). Build a clause package that procurement can insert consistently. Keep it modular so it can be attached to:

• master services agreements,
• task orders,
• statements of work,
• data processing / privacy addenda, and
• subcontractor flowdowns.

Minimum topics your SA-4(11) clause package should cover (keep it aligned to your internal governance):

• Scope of the system of records operations (what functions the third party performs).
• Allowed processing and use limitations tied to mission purpose.
• Records handling requirements (collection, access, correction, retention, disposition).
• Security and privacy controls obligations and right-to-audit/assessment support.
• Incident reporting and cooperation duties.
• Subcontractor restrictions and mandatory flowdown language.
• Return/destruction obligations at termination and transition assistance.

Document ownership clearly: privacy drafts the “system of records” content, security drafts control expectations, procurement makes it enforceable.

Step 2: Build an applicability decision gate into intake

Create a simple intake question set that an intake coordinator can run before drafting starts:

SA-4(11) applicability check

• Will the third party operate (administer, host, manage, maintain) the system for us?
• Does the system maintain records about individuals for a mission or business function?
• Will the third party have ongoing access to those records as part of operations?

If “yes,” SA-4(11) is mandatory and the clause package must be attached.

Implementation tip: Put the gate in the same tool people already use (procurement intake form, CLM questionnaire, or third-party onboarding workflow). If it lives in a policy PDF, it will be skipped.

Step 3: Update your contract templates and clause library

Operationalize SA-4(11) by making the compliant path the easy path:

• Add SA-4(11) clause package to your standard contract playbook.
• Create fallback positions and negotiable vs non-negotiable elements.
• Add a clause mapping table showing where each SA-4(11) obligation appears (MSA, DPA, SOW, exhibits).

Step 4: Establish pre-award controls (no signature without clause)

Put a “hard stop” in the workflow:

• Legal/procurement must confirm the SA-4(11) exhibit is included for in-scope engagements.
• The control owner (often GRC or privacy) performs a quick review against the clause mapping table.
• Track exceptions formally (risk acceptance or waiver), with approver and rationale.

Step 5: Ensure subcontractor flowdown is covered

SA-4(11) is routinely weakened by subcontracting. Require the prime to:

• disclose subcontractors involved in operations,
• flow down the SA-4(11) obligations, and
• remain accountable for subcontractor performance.

Step 6: Tie SA-4(11) to ongoing third-party governance

Contract language without oversight becomes shelfware. Add operational touchpoints:

• onboarding verification that operational access aligns to contract scope,
• periodic attestations or reviews that records handling obligations are followed,
• contract renewal checks to confirm clauses remain in effect after amendments.

Daydream fit (where it earns its place): use Daydream to map SA-4(11) to a named control owner, a documented procedure, and recurring evidence artifacts so you can demonstrate consistent execution across third parties and contract types. ¹

Required evidence and artifacts to retain

Maintain an “SA-4(11) evidence packet” per in-scope engagement:

Contracting artifacts

• Executed agreement(s) showing SA-4(11) clause package included (MSA/SOW/exhibits).
• Clause mapping table cross-referencing SA-4(11) obligations to contract sections.
• Subcontractor flowdown language and any disclosed subcontractor list.

Process artifacts

• Intake record showing SA-4(11) applicability determination (the gate output).
• Approval record showing pre-award clause verification (ticket, checklist, or signoff).
• Exception/waiver log entries if SA-4(11) was modified or omitted, with compensating controls.

Operational artifacts

• Onboarding checklist showing access provisioning aligned with the contract scope.
• Periodic oversight records (attestations, review notes, meeting minutes tied to obligations).

Common exam/audit questions and hangups

Expect assessors to test repeatability and completeness:

1. “Show me all third parties operating systems of records and the executed contracts.” Hangup: your inventory is incomplete or not tied to contract IDs.
2. “Where is the organization-defined SA-4(11) language documented?” Hangup: it exists only as ad hoc edits in Word docs.
3. “How do you ensure SA-4(11) is included before signature?” Hangup: reliance on tribal knowledge rather than a workflow gate.
4. “How do you manage subcontractors?” Hangup: no flowdown language, no visibility into who actually operates the system.
5. “What evidence shows the control operates over time?” Hangup: you have one clean contract, but renewals/amendments drift.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	Fix
Treating SA-4(11) as a privacy memo, not a contract requirement	The obligation never becomes enforceable	Put the clause package in the contract template library and require it pre-award 2
Scoping based on system name instead of operational reality	Teams miss managed services and BPO operations	Use the intake questions focused on “operate on behalf of” and “records about individuals”
Clause language buried in an exhibit nobody references	Operational teams do not follow it	Translate key obligations into onboarding checklists and oversight checkpoints
No exception management	You cannot explain gaps to an assessor	Maintain a waiver log with approvals and compensating controls
Ignoring subcontractors	Real operations occur outside the prime	Require disclosure, flowdown, and prime accountability

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so you should treat SA-4(11) risk through an assurance lens: failure shows up as an assessment finding, contract noncompliance, or a privacy/records handling gap that becomes painful during incidents, disputes, or transitions. The operational risk is highest when a third party controls day-to-day system administration and you lack clear contractual rights for audit, incident response cooperation, and data return/disposition. ²

Practical 30/60/90-day execution plan

First 30 days (stabilize)

• Name an SA-4(11) control owner and define RACI across procurement, legal, privacy, security, and vendor management.
• Draft the SA-4(11) clause package (ODP content) and create a clause mapping table.
• Add the SA-4(11) applicability questions to your intake workflow and publish “hard stop” rules for in-scope engagements.

By 60 days (embed)

• Update contract templates and your clause library so SA-4(11) is selectable and standardized.
• Train procurement and third-party onboarding teams on the applicability gate and the non-negotiables.
• Start building the evidence packets for new contracts and renewals, not just net-new engagements.

By 90 days (prove operation)

• Back-review active in-scope third parties and identify contracts missing SA-4(11) language; remediate via amendments or renewal plan.
• Implement exception management with documented approvals and tracking.
• Run an internal mini-audit: sample a set of in-scope engagements and confirm intake record → executed clauses → oversight artifacts exist and match.

Frequently Asked Questions

What counts as “operation of a system of records” for SA-4(11)?

Treat it as the third party running the system’s ongoing administration or managed service functions on your behalf as part of delivering your mission or business function. If they host, administer, maintain, or manage access for the system that contains records about individuals, assume it is in scope and document your decision. ²

Where do we get the exact language for the {{ insert: param, sa-04.11_odp }} placeholder?

You define it. SA-4(11) expects organization-defined contract terms, so your privacy, legal, and security teams should publish a standard clause package in your clause library and reference it in your procurement playbook. ¹

Does SA-4(11) apply to every SaaS contract?

Not automatically. It applies when the acquisition is for a third party to operate a system of records on your behalf to accomplish your mission or function; document how you made that determination in the intake record. ²

How do we handle subcontractors under SA-4(11)?

Require disclosure of operational subcontractors and flow down the same obligations in writing. Keep evidence of flowdown language and the subcontractor list in the engagement’s evidence packet.

What evidence will an auditor expect to see?

Executed contracts with the SA-4(11) clause package, an applicability decision record from intake, and proof procurement has a consistent pre-award check. Add exception approvals when you deviate. ²

We have legacy contracts already live. What’s the fastest remediation path?

Triage by operational risk and renewal dates, then amend the highest-risk agreements first using a standard addendum that contains your SA-4(11) clause package. Track each remediation action and keep the executed amendment with the original contract.

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5