SA-08 Security and Privacy Engineering Principles
Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: sa-8_prm_1.
| Parameter ID | Definition |
|---|---|
| sa-8_prm_1 | organization-defined systems security and privacy engineering principles |
| sa-08_odp.01 | systems security engineering principles |
| sa-08_odp.02 | privacy engineering principles |
Baselines
- L
- M
- H
- P
Guidance
Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3 ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.
The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.
Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design.
References 10
- PRIVACT Privacy Act (P.L. 93-579), December 1974.
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
- FIPS 200 National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200.
- SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
- SP 800-53A Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014.
- SP 800-60-1 Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1.
- SP 800-60-2 Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1.
- SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
- IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.
Control Enhancements 33
- SA-08(01) Clear Abstractions L M H P
- SA-08(02) Least Common Mechanism L M H P
- SA-08(03) Modularity and Layering L M H P
- SA-08(04) Partially Ordered Dependencies L M H P
- SA-08(05) Efficiently Mediated Access L M H P
- SA-08(06) Minimized Sharing L M H P
- SA-08(07) Reduced Complexity L M H P
- SA-08(08) Secure Evolvability L M H P
- SA-08(09) Trusted Components L M H P
- SA-08(10) Hierarchical Trust L M H P
- SA-08(11) Inverse Modification Threshold L M H P
- SA-08(12) Hierarchical Protection L M H P
- SA-08(13) Minimized Security Elements L M H P
- SA-08(14) Least Privilege L M H P
- SA-08(15) Predicate Permission L M H P
- SA-08(16) Self-reliant Trustworthiness L M H P
- SA-08(17) Secure Distributed Composition L M H P
- SA-08(18) Trusted Communications Channels L M H P
- SA-08(19) Continuous Protection L M H P
- SA-08(20) Secure Metadata Management L M H P
- SA-08(21) Self-analysis L M H P
- SA-08(22) Accountability and Traceability L M H P
- SA-08(23) Secure Defaults L M H P
- SA-08(24) Secure Failure and Recovery L M H P
- SA-08(25) Economic Security L M H P
- SA-08(26) Performance Security L M H P
- SA-08(27) Human Factored Security L M H P
- SA-08(28) Acceptable Security L M H P
- SA-08(29) Repeatable and Documented Procedures L M H P
- SA-08(30) Procedural Rigor L M H P
- SA-08(31) Secure System Modification L M H P
- SA-08(32) Sufficient Documentation L M H P
- SA-08(33) Minimization L M H P
Related controls 18
- PL-08 Security and Privacy Architectures L M H P
- PM-07 Enterprise Architecture L M H P
- RA-02 Security Categorization L M H P
- RA-03 Risk Assessment L M H P
- RA-09 Criticality Analysis L M H P
- SA-03 System Development Life Cycle L M H P
- SA-04 Acquisition Process L M H P
- SA-15 Development Process, Standards, and Tools L M H P
- SA-17 Developer Security and Privacy Architecture and Design L M H P
- SA-20 Customized Development of Critical Components L M H P
- SC-02 Separation of System and User Functionality L M H P
- SC-03 Security Function Isolation L M H P
- SC-32 System Partitioning L M H P
- SC-39 Process Isolation L M H P
- SR-02 Supply Chain Risk Management Plan L M H P
- SR-03 Supply Chain Controls and Processes L M H P
- SR-04 Provenance L M H P
- SR-05 Acquisition Strategies, Tools, and Methods L M H P