SA-17(5): Conceptually Simple Design

CSF v1.1 References:

Baselines:

(Not part of any baseline)

Next Version:

Control Statement

The organization requires the developer of the information system, system component, or information system service to:

  1. Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and
  2. Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.