SA-8—Security and Privacy Engineering Principles
>Control Description
>DoD Impact Level Requirements
No specific parameter values or requirements for this impact level.
>Discussion
Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.
The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions.
System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design.
>Programmatic Queries
Related Services
CLI Commands
aws securityhub get-findings --filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}]}'aws securityhub get-enabled-standardsaws wellarchitected list-workloadsaws support describe-trusted-advisor-checks --language en>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What acquisition policies and procedures address the requirements of SA-8?
- •How are security and privacy requirements integrated into the acquisition process?
- •Who is responsible for ensuring that acquisitions comply with SA-8?
- •How is security integrated throughout your system development lifecycle (SDLC)?
Technical Implementation:
- •How are security requirements defined and documented in acquisition contracts?
- •What mechanisms ensure that acquired systems and services meet security requirements?
- •How do you validate that vendors and service providers comply with specified security controls?
- •What security practices are required at each phase of the SDLC?
- •What secure coding practices and standards are required for developers?
Evidence & Documentation:
- •Can you provide examples of acquisition documentation that includes security requirements?
- •What evidence demonstrates that acquired systems meet security specifications?
- •Where is acquisition security documentation maintained throughout the system lifecycle?
- •Can you show evidence of security activities performed during development?
- •Can you provide code review or static analysis results?
Ask AI
Configure your API key to use AI features.