Show/Hide Toolbars

ABCI Consultants

Guidance for NIST 800-171 Assessment & Compliance

Navigation: SA-FAMILY: SYSTEM AND SERVICES ACQUISITION

SA-17(1) DEVELOPER SECURITY ARCHITECTURE AND DESIGN  |  FORMAL POLICY MODEL
Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

 

 

 

 

 

 

 

 

 

 

 

 

###

sa-17(1)

developer security architecture and design  | formal policy model

 

assessment objective:

Determine if the organization:

sa-17(1)(a)

sa-17(1)(a)[1]

defines elements of the organizational security policy to be enforced under a formal policy model produced by the developer as an integral part of the development process for the information system, system component, or information system service;

sa-17(1)(a)[2]

requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, a formal policy model describing the organization-defined elements of organizational security policy to be enforced; and

sa-17(1)(b)

requires the developer of the information system, system component, or information system service to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; enterprise architecture policy; procedures addressing developer security architecture and design specification for the information system; solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; design specification and security architecture documentation for the system; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with security architecture and design responsibilities].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056