SA-8: Security and Privacy Engineering Principles

CSF v1.1 References:

Baselines:

  • Low
    • SA-8
  • Moderate
    • SA-8
  • High
    • SA-8
  • Privacy

Previous Version:

Info icon.

Incorporates the following control from the previous version of the control set: SA-13: Trustworthiness.

Control Statement

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [Assignment: organization-defined systems security and privacy engineering principles].

Supplemental Guidance

Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.

The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.

Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design.

Control Enhancements

SA-8(2): Least Common Mechanism

Baseline(s):

(Not part of any baseline)

Implement the security design principle of least common mechanism in [Assignment: organization-defined systems or system components].

SA-8(3): Modularity and Layering

Baseline(s):

(Not part of any baseline)

Implement the security design principles of modularity and layering in [Assignment: organization-defined systems or system components].

SA-8(4): Partially Ordered Dependencies

Baseline(s):

(Not part of any baseline)

Implement the security design principle of partially ordered dependencies in [Assignment: organization-defined systems or system components].

SA-8(5): Efficiently Mediated Access

Baseline(s):

(Not part of any baseline)

Implement the security design principle of efficiently mediated access in [Assignment: organization-defined systems or system components].

SA-8(6): Minimized Sharing

Baseline(s):

(Not part of any baseline)

Implement the security design principle of minimized sharing in [Assignment: organization-defined systems or system components].

SA-8(7): Reduced Complexity

Baseline(s):

(Not part of any baseline)

Implement the security design principle of reduced complexity in [Assignment: organization-defined systems or system components].

SA-8(8): Secure Evolvability

Baseline(s):

(Not part of any baseline)

Implement the security design principle of secure evolvability in [Assignment: organization-defined systems or system components].

SA-8(9): Trusted Components

Baseline(s):

(Not part of any baseline)

Implement the security design principle of trusted components in [Assignment: organization-defined systems or system components].

SA-8(10): Hierarchical Trust

Baseline(s):

(Not part of any baseline)

Implement the security design principle of hierarchical trust in [Assignment: organization-defined systems or system components].

SA-8(11): Inverse Modification Threshold

Baseline(s):

(Not part of any baseline)

Implement the security design principle of inverse modification threshold in [Assignment: organization-defined systems or system components].

SA-8(12): Hierarchical Protection

Baseline(s):

(Not part of any baseline)

Implement the security design principle of hierarchical protection in [Assignment: organization-defined systems or system components].

SA-8(13): Minimized Security Elements

Baseline(s):

(Not part of any baseline)

Implement the security design principle of minimized security elements in [Assignment: organization-defined systems or system components].

SA-8(14): Least Privilege

Baseline(s):

(Not part of any baseline)

Implement the security design principle of least privilege in [Assignment: organization-defined systems or system components].

SA-8(15): Predicate Permission

Baseline(s):

(Not part of any baseline)

Implement the security design principle of predicate permission in [Assignment: organization-defined systems or system components].

SA-8(16): Self-reliant Trustworthiness

Baseline(s):

(Not part of any baseline)

Implement the security design principle of self-reliant trustworthiness in [Assignment: organization-defined systems or system components].

SA-8(17): Secure Distributed Composition

Baseline(s):

(Not part of any baseline)

Implement the security design principle of secure distributed composition in [Assignment: organization-defined systems or system components].

SA-8(18): Trusted Communications Channels

Baseline(s):

(Not part of any baseline)

Implement the security design principle of trusted communications channels in [Assignment: organization-defined systems or system components].

SA-8(19): Continuous Protection

Baseline(s):

(Not part of any baseline)

Implement the security design principle of continuous protection in [Assignment: organization-defined systems or system components].

SA-8(20): Secure Metadata Management

Baseline(s):

(Not part of any baseline)

Implement the security design principle of secure metadata management in [Assignment: organization-defined systems or system components].

SA-8(21): Self-analysis

Baseline(s):

(Not part of any baseline)

Implement the security design principle of self-analysis in [Assignment: organization-defined systems or system components].

SA-8(22): Accountability and Traceability

Baseline(s):

(Not part of any baseline)

Implement the security design principle of accountability and traceability in [Assignment: organization-defined systems or system components].

SA-8(23): Secure Defaults

Baseline(s):

(Not part of any baseline)

Implement the security design principle of secure defaults in [Assignment: organization-defined systems or system components].

SA-8(24): Secure Failure and Recovery

Baseline(s):

(Not part of any baseline)

Implement the security design principle of secure failure and recovery in [Assignment: organization-defined systems or system components].

SA-8(25): Economic Security

Baseline(s):

(Not part of any baseline)

Implement the security design principle of economic security in [Assignment: organization-defined systems or system components].

SA-8(26): Performance Security

Baseline(s):

(Not part of any baseline)

Implement the security design principle of performance security in [Assignment: organization-defined systems or system components].

SA-8(27): Human Factored Security

Baseline(s):

(Not part of any baseline)

Implement the security design principle of human factored security in [Assignment: organization-defined systems or system components].

SA-8(28): Acceptable Security

Baseline(s):

(Not part of any baseline)

Implement the security design principle of acceptable security in [Assignment: organization-defined systems or system components].

SA-8(29): Repeatable and Documented Procedures

Baseline(s):

(Not part of any baseline)

Implement the security design principle of repeatable and documented procedures in [Assignment: organization-defined systems or system components].

SA-8(30): Procedural Rigor

Baseline(s):

(Not part of any baseline)

Implement the security design principle of procedural rigor in [Assignment: organization-defined systems or system components].

SA-8(31): Secure System Modification

Baseline(s):

(Not part of any baseline)

Implement the security design principle of secure system modification in [Assignment: organization-defined systems or system components].

SA-8(32): Sufficient Documentation

Baseline(s):

(Not part of any baseline)

Implement the security design principle of sufficient documentation in [Assignment: organization-defined systems or system components].

SA-8(33): Minimization

Baseline(s):

  • Privacy

Implement the privacy principle of minimization using [Assignment: organization-defined processes].