Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): (M) to include security-relevant external system interfaces and high-level design; (H) at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram] at [Assignment: organization-defined level of detail].
NIST 800-53 (r4) Supplemental Guidance:
Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system. Related control: SA-5.
NIST 800-53 (r5) Discussion:
Organizations may require different levels of detail in the documentation for the design and implementation of controls in organizational systems, system components, or system services based on mission and business requirements, requirements for resiliency and trustworthiness, and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system.
38North Guidance:
Meets Minimum Requirement:
The developer of the information system, system component or service must provide documentation to include security-relevant external system interfaces and high-level design for MODERATE systems and at a minimum to include security-relevant external system interfaces; high-level design; low-level design; source code or network and data flow diagram for HIGH systems with the adequate level of detail approved by the organization.
Best Practice:
When describing the implementation of security processes or controls, the writer of the process document or security control should consider telling the reader a story that describes the important aspects of a process, tool or activity that includes a role for any human based actions, what the particular control is requiring and how it is met by policies, processes, procedures or tools, a timeframe of activities that may occur frequently or at specified intervals, any expected inputs/outs of these activities and if any reports should be produced as a result of the control activity.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Security control implementation statements that describe the design/implementation/deployment of controls for the information system.
Information that is included in the 'top section' of the SSP (Sections 1-12) (e.g., network/data flow diagrams, security control implementation summary, security architecture diagrams, etc.).
Samples of acquisition contracts or documented evidence to show:
Security requirements are addressed
A description of the product is provided
The security controls employed by the product
A plan for continuous monitoring is produced
The functions, ports, protocols, and services required to operation are defined
Testing performed on acquired product prior to implementation
CSP Implementation Tips:
None.
Page updated
Report abuse