SA-17(2): Security-Relevant Components

Control Family:

System And Services Acquisition

Parent Control:

SA-17: Developer Security Architecture And Design

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

PR.IP-2

Baselines:

(Not part of any baseline)

Next Version:

NIST Special Publication 800-53 Revision 5:
SA-17(2): Security-relevant Components

Control Statement

The organization requires the developer of the information system, system component, or information system service to:

Define security-relevant hardware, software, and firmware; and
Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.

Supplemental Guidance

Security-relevant hardware, software, and firmware represent the portion of the information system, component, or service that must be trusted to perform correctly in order to maintain required security properties.