SA-17(1): Formal Policy Model
CSF v1.1 References:
(Not part of any baseline)
- NIST Special Publication 800-53 Revision 4:
- SA-17(1): Formal Policy Model
Require the developer of the system, system component, or system service to:
Formal models describe specific behaviors or security and privacy policies using formal languages, thus enabling the correctness of those behaviors and policies to be formally proven. Not all components of systems can be modeled. Generally, formal specifications are scoped to the behaviors or policies of interest, such as nondiscretionary access control policies. Organizations choose the formal modeling language and approach based on the nature of the behaviors and policies to be described and the available tools.