SC.L2-3.13.2 Security Engineering
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
Source: NIST SP 800-171 Rev 2 3.13.2
Discussion: Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. [SP 800-160-1] provides guidance on systems security engineering.
Assessment Objectives:
Determine if:
- [a] architectural designs that promote effective information security are identified;
- [b] software development techniques that promote effective information security are identified;
- [c] systems engineering principles that promote effective information security are identified;
- [d] identified architectural designs that promote effective information security are employed;
- [e] identified software development techniques that promote effective information security are employed; and
- [f] identified systems engineering principles that promote effective information security are employed.
Examine: [SELECT FROM: Security planning policy; procedures addressing security plan development and implementation; procedures addressing security plan reviews and updates; enterprise architecture documentation; security plan; records of security plan reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Personnel with security planning and plan implementation responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for security plan development, review, update, and approval; mechanisms supporting the system security plan].
SPRS Score: 5
POA&M Allowed: No