home || catalog: SP800-53rev3 / class: Management / family: (SA) System and Services Acquisition ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA

SA-01
SA-02
SA-03
SA-04
SA-05
SA-06
SA-07
SA-08 *
SA-09
SA-10
SA-11
SA-12
SA-13
SA-14

SC
SI
MMMMM

  SA-08: Security Engineering Principles  

base control objective:
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

supplemental objective information:
The application of security engineering principles is primarily targeted at new development information systems or systems undergoing major upgrades and is integrated into the system development life cycle. For legacy information systems, the organization applies security engineering principles to system upgrades and modifications, to the extent feasible, given the current state of the hardware, software, and firmware components within the system. Examples of security engineering principles for information systems include but, are not limited to: (i) develop layered protections; (ii) establish sound security policy, architecture, and controls as the foundation for design; (iii) incorporate security into the system development life-cycle; (iv) delineate physical and logical security boundaries; (v) ensure developers/integrators are trained on how to develop secure software for information systems; (vi) tailor security controls to meet organizational and operational needs; reduce risk to acceptable levels thus, enabling risk executives to make informed decisions.

enhancements to the base objective:

(1) None.

mapping to FIPS199 baseline:

  LOW: null     MOD: base     HIGH: base  

related (regimented) controls:

None.

documents referenced in SP800-53rev3 for SA-08:

Document Date Status Title
NIST SP800-27 June, 2004 current   Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
NIST SP800-33 December, 2001 current   Underlying Technical Models for Information Technology Security

Search SP800-53rev3 catalog: