03.16.01: Security Engineering Principles
Control Familly: System and Services Acquisition
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-160-1 [11]
SP 800-160-2 [10]
SP 800-207 [66]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.16.01
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
SA-08
Apply the following systems security engineering principles to the development or modification of the system and system components: [Assignment: organization-defined systems security engineering principles].
Discussion:
Organizations apply systems security engineering principles to new development systems. For legacy systems, organizations apply systems security engineering principles to system modifications to the extent feasible, given the current state of hardware, software, and firmware components. The application of systems security engineering principles helps to develop trustworthy, secure, and resilient systems and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples include developing layered protections; establishing security policies, architectures, and controls as the foundation for system design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build trustworthy secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risks to acceptable levels; and make informed risk-management decisions.
Assessment Methods and Objectives
Examine [SELECT FROM: system and services acquisition policy; system and services acquisition procedures; procedures addressing security engineering principles used in the development and modification of the system; system design documentation; security requirements and specifications for the system; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with acquisition/contracting responsibilities; personnel with information security responsibilities; personnel with system development and modification responsibilities; system developers]
Test [SELECT FROM: processes for applying security engineering principles in system development and modification; mechanisms supporting the application of security engineering principles in system development and modification]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.16.01.ODP[01]: systems security engineering principles to be applied to the development or modification of the system and system components are defined.
A.03.16.01: <A.03.16.01.ODP[01]: systems security engineering principles> are applied to the development or modification of the system and system components.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A