SA-08: Security Engineering Principles
base control objective:
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.
supplemental objective information:
The application of security engineering principles is primarily targeted at new development information systems or systems undergoing major upgrades and is integrated into the system development life cycle. For legacy information systems, the organization applies security engineering principles to system upgrades and modifications, to the extent feasible, given the current state of the hardware, software, and firmware components within the system. Examples of security engineering principles for information systems include but, are not limited to: (i) develop layered protections; (ii) establish sound security policy, architecture, and controls as the foundation for design; (iii) incorporate security into the system development life-cycle; (iv) delineate physical and logical security boundaries; (v) ensure developers/integrators are trained on how to develop secure software for information systems; (vi) tailor security controls to meet organizational and operational needs; reduce risk to acceptable levels thus, enabling risk executives to make informed decisions.
enhancements to the base objective:
mapping to FIPS199 baseline:
related (regimented) controls:
documents referenced in SP800-53rev3 for SA-08:
Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
Underlying Technical Models for Information Technology Security