SA-8(12): Hierarchical Protection
Control Family:
Parent Control:
Baselines:
(Not part of any baseline)
Control is new to this version of the control set.
Control Statement
Implement the security design principle of hierarchical protection in [Assignment: organization-defined systems or system components].
Supplemental Guidance
The principle of hierarchical protection states that a component need not be protected from more trustworthy components. In the degenerate case of the most trusted component, it protects itself from all other components. For example, if an operating system kernel is deemed the most trustworthy component in a system, then it protects itself from all untrusted applications it supports, but the applications, conversely, do not need to protect themselves from the kernel. The trustworthiness of users is a consideration for applying the principle of hierarchical protection. A trusted system need not protect itself from an equally trustworthy user, reflecting use of untrusted systems in "system high" environments where users are highly trustworthy and where other protections are put in place to bound and protect the "system high" execution environment.