SA-4(2): Design and Implementation Information for Controls

CSF v1.1 References:


  • Moderate
  • High

Previous Version:

Control Statement

Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: [Assignment (one or more): security-relevant external system interfaces, high-level design, low-level design, source code or hardware schematics, [Assignment: organization-defined design and implementation information] ] at [Assignment: organization-defined level of detail].

Supplemental Guidance

Organizations may require different levels of detail in the documentation for the design and implementation of controls in organizational systems, system components, or system services based on mission and business requirements, requirements for resiliency and trustworthiness, and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system.