SA-8: Security and Privacy Engineering Principles
Control Family:
Baselines:
- Low
- SA-8
- Moderate
- SA-8
- High
- SA-8
- Privacy
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- SA-8: Security Engineering Principles
Incorporates the following control from the previous version: SA-13: Trustworthiness.
Control Statement
Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [Assignment: organization-defined systems security and privacy engineering principles].
Supplemental Guidance
Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.
The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.
Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design.
Control Enhancements
SA-8(1): Clear Abstractions
Baseline(s):
Implement the security design principle of clear abstractions.
SA-8(2): Least Common Mechanism
Baseline(s):
Implement the security design principle of least common mechanism in [Assignment: organization-defined systems or system components].
SA-8(3): Modularity and Layering
Baseline(s):
Implement the security design principles of modularity and layering in [Assignment: organization-defined systems or system components].
SA-8(4): Partially Ordered Dependencies
Baseline(s):
Implement the security design principle of partially ordered dependencies in [Assignment: organization-defined systems or system components].
SA-8(5): Efficiently Mediated Access
Baseline(s):
Implement the security design principle of efficiently mediated access in [Assignment: organization-defined systems or system components].
SA-8(6): Minimized Sharing
Baseline(s):
Implement the security design principle of minimized sharing in [Assignment: organization-defined systems or system components].
SA-8(7): Reduced Complexity
Baseline(s):
Implement the security design principle of reduced complexity in [Assignment: organization-defined systems or system components].
SA-8(8): Secure Evolvability
Baseline(s):
Implement the security design principle of secure evolvability in [Assignment: organization-defined systems or system components].
SA-8(9): Trusted Components
Baseline(s):
Implement the security design principle of trusted components in [Assignment: organization-defined systems or system components].
SA-8(10): Hierarchical Trust
Baseline(s):
Implement the security design principle of hierarchical trust in [Assignment: organization-defined systems or system components].
SA-8(11): Inverse Modification Threshold
Baseline(s):
Implement the security design principle of inverse modification threshold in [Assignment: organization-defined systems or system components].
SA-8(12): Hierarchical Protection
Baseline(s):
Implement the security design principle of hierarchical protection in [Assignment: organization-defined systems or system components].
SA-8(13): Minimized Security Elements
Baseline(s):
Implement the security design principle of minimized security elements in [Assignment: organization-defined systems or system components].
SA-8(14): Least Privilege
Baseline(s):
Implement the security design principle of least privilege in [Assignment: organization-defined systems or system components].
SA-8(15): Predicate Permission
Baseline(s):
Implement the security design principle of predicate permission in [Assignment: organization-defined systems or system components].
SA-8(16): Self-reliant Trustworthiness
Baseline(s):
Implement the security design principle of self-reliant trustworthiness in [Assignment: organization-defined systems or system components].
SA-8(17): Secure Distributed Composition
Baseline(s):
Implement the security design principle of secure distributed composition in [Assignment: organization-defined systems or system components].
SA-8(18): Trusted Communications Channels
Baseline(s):
Implement the security design principle of trusted communications channels in [Assignment: organization-defined systems or system components].
SA-8(19): Continuous Protection
Baseline(s):
Implement the security design principle of continuous protection in [Assignment: organization-defined systems or system components].
SA-8(20): Secure Metadata Management
Baseline(s):
Implement the security design principle of secure metadata management in [Assignment: organization-defined systems or system components].
SA-8(21): Self-analysis
Baseline(s):
Implement the security design principle of self-analysis in [Assignment: organization-defined systems or system components].
SA-8(22): Accountability and Traceability
Baseline(s):
Implement the security design principle of accountability and traceability in [Assignment: organization-defined systems or system components].
SA-8(23): Secure Defaults
Baseline(s):
Implement the security design principle of secure defaults in [Assignment: organization-defined systems or system components].
SA-8(24): Secure Failure and Recovery
Baseline(s):
Implement the security design principle of secure failure and recovery in [Assignment: organization-defined systems or system components].
SA-8(25): Economic Security
Baseline(s):
Implement the security design principle of economic security in [Assignment: organization-defined systems or system components].
SA-8(26): Performance Security
Baseline(s):
Implement the security design principle of performance security in [Assignment: organization-defined systems or system components].
SA-8(27): Human Factored Security
Baseline(s):
Implement the security design principle of human factored security in [Assignment: organization-defined systems or system components].
SA-8(28): Acceptable Security
Baseline(s):
Implement the security design principle of acceptable security in [Assignment: organization-defined systems or system components].
SA-8(29): Repeatable and Documented Procedures
Baseline(s):
Implement the security design principle of repeatable and documented procedures in [Assignment: organization-defined systems or system components].
SA-8(30): Procedural Rigor
Baseline(s):
Implement the security design principle of procedural rigor in [Assignment: organization-defined systems or system components].
SA-8(31): Secure System Modification
Baseline(s):
Implement the security design principle of secure system modification in [Assignment: organization-defined systems or system components].
SA-8(32): Sufficient Documentation
Baseline(s):
Implement the security design principle of sufficient documentation in [Assignment: organization-defined systems or system components].
SA-8(33): Minimization
Baseline(s):
- Privacy
Implement the privacy principle of minimization using [Assignment: organization-defined processes].