>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PL-8(1)Security and Privacy Architectures | Defense in Depth

IL5
IL6

>Control Description

Design the security and privacy architectures for the system using a defense-in-depth approach that: (a) Allocates organization-defined controls to organization-defined locations and architectural layers; and (b) Ensures that the allocated controls operate in a coordinated and mutually reinforcing manner.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Organizations strategically allocate security and privacy controls in the security and privacy architectures so that adversaries must overcome multiple controls to achieve their objective. Requiring adversaries to defeat multiple controls makes it more difficult to attack information resources by increasing the work factor of the adversary; it also increases the likelihood of detection. The coordination of allocated controls is essential to ensure that an attack that involves one control does not create adverse, unintended consequences by interfering with other controls.

Unintended consequences can include system lockout and cascading alarms. The placement of controls in systems and organizations is an important activity that requires thoughtful analysis. The value of organizational assets is an important consideration in providing additional layering.

Defense-in-depth architectural approaches include modularity and layering (see SA-8(3)), separation of system and user functionality (see SC-2), and security function isolation (see SC-3).

>Related Controls

SC-2
SC-3
SC-29
SC-36

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of defense in depth across organizational systems?
  • Who is responsible for defense in depth activities and oversight?
  • What is the process for documenting and approving defense in depth?
  • How frequently are defense in depth activities reviewed and updated?
  • What governance exists for ensuring defense in depth aligns with organizational objectives and risk management strategy?

Technical Implementation:

  • What systems or tools support the technical implementation of defense in depth?
  • How is defense in depth information integrated with other system documentation or repositories?
  • What automation exists for defense in depth activities?
  • How are defense in depth artifacts version-controlled and maintained?
  • What technical workflows enforce defense in depth requirements?

Evidence & Documentation:

  • Provide documented policies and procedures for defense in depth.
  • Provide artifacts demonstrating defense in depth implementation.
  • Provide evidence of defense in depth review and approval.
  • Provide records of defense in depth updates and version control.
  • Provide documentation showing defense in depth integration with system authorization.

Ask AI

Configure your API key to use AI features.