SA-17(2): Security-Relevant Components

CSF v1.1 References:


(Not part of any baseline)

Next Version:

Control Statement

The organization requires the developer of the information system, system component, or information system service to:

  1. Define security-relevant hardware, software, and firmware; and
  2. Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.

Supplemental Guidance

Security-relevant hardware, software, and firmware represent the portion of the information system, component, or service that must be trusted to perform correctly in order to maintain required security properties.