Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.
NIST 800-53 (r4) Supplemental Guidance:
Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions. Related controls: PM-7, SA-3, SA-4, SA-17, SC-2, SC-3.
NIST 800-53 (r5) Discussion:
Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.
The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.
Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design.
38North Guidance:
Meets Minimum Requirement:
Incorporate security engineering principles and and practices throughout the SDLC. Bake-in security requirements throughout the development of the information system rather than including security controls at the end of developing an information system/application.
Best Practice:
Security engineering principles should be baked-in to the CSPs overall SDLC process to ensure that security requirements and controls are employed throughout the course of development. Building in the security requirements ensures that any security controls that may cause functionality issues are addressed early on rather than at the end of development when the product may be ready for deployment. When addressing these issues, the changes are managed through the standard change management process that ensures all changes to the system/application are documented, managed, tested prior to deployment into the production environment.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
List of information system security engineering principles used during specification, design, development, implementation and modification of the information system.
CSP Implementation Tips:
None.
Page updated
Report abuse