National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

NIST Special Publication 800-53 (Rev. 4)

Security Controls and Assessment Procedures for Federal Information Systems and Organizations

SA-8 SECURITY ENGINEERING PRINCIPLES

Family:
SA - SYSTEM AND SERVICES ACQUISITION
Class:
Priority:
P1 - Implement P1 security controls first.
Baseline Allocation:
Low Moderate High
N/A SA-8 SA-8

Control Description

The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

Supplemental Guidance

Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions.

Related to: PM-7SA-3SA-4SA-17SC-2SC-3

Control Enhancements

None.

References

NIST Special Publication 800-27 https://csrc.nist.gov/publications/search?keywords-lg=800-27