SA-17—Developer Security Architecture And Design

PBMM (P3)

Secret (P3)

Management

>Control Description

(A) The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture. (B) The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components. (C) The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.

>Supplemental Guidance

This control is primarily directed at external developers, although it could also be used for internal (in-house) development. In contrast, PL-8 is primarily directed at internal developers to help ensure that organizations develop an information security architecture and such security architecture is integrated or tightly coupled to the enterprise architecture. This distinction is important if/when organizations outsource the development of information systems, information system components, or information system services to external entities, and there is a requirement to demonstrate consistency with the organization’s enterprise architecture and information security architecture.

Related controls: PL-8, SA-3, SA-8

>Tailoring Guidance

Apply to custom developed systems or components.

Ask AI

Configure your API key to use AI features.