>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SA-8(6)Security and Privacy Engineering Principles | Minimized Sharing

IL5
IL6

>Control Description

Implement the security design principle of minimized sharing in organization-defined systems or system components.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

The principle of minimized sharing states that no computer resource is shared between system components (e.g., subjects, processes, functions) unless it is absolutely necessary to do so. Minimized sharing helps to simplify system design and implementation. In order to protect user-domain resources from arbitrary active entities, no resource is shared unless that sharing has been explicitly requested and granted.

The need for resource sharing can be motivated by the design principle of least common mechanism in the case of internal entities or driven by stakeholder requirements. However, internal sharing is carefully designed to avoid performance and covert storage and timing channel problems. Sharing via common mechanism can increase the susceptibility of data and information to unauthorized access, disclosure, use, or modification and can adversely affect the inherent capability provided by the system.

To minimize sharing induced by common mechanisms, such mechanisms can be designed to be reentrant or virtualized to preserve separation. Moreover, the use of global data to share information is carefully scrutinized. The lack of encapsulation may obfuscate relationships among the sharing entities.

>Related Controls

SC-31

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What acquisition policies and procedures address the requirements of SA-8(6)?
  • How are security and privacy requirements integrated into the acquisition process?
  • Who is responsible for ensuring that acquisitions comply with SA-8(6)?

Technical Implementation:

  • How are security requirements defined and documented in acquisition contracts?
  • What mechanisms ensure that acquired systems and services meet security requirements?
  • How do you validate that vendors and service providers comply with specified security controls?

Evidence & Documentation:

  • Can you provide examples of acquisition documentation that includes security requirements?
  • What evidence demonstrates that acquired systems meet security specifications?
  • Where is acquisition security documentation maintained throughout the system lifecycle?

Ask AI

Configure your API key to use AI features.