Show/Hide Toolbars

ABCI Consultants

Guidance for NIST 800-171 Assessment & Compliance

Navigation: SA-FAMILY: SYSTEM AND SERVICES ACQUISITION

SA-17(3) DEVELOPER SECURITY ARCHITECTURE AND DESIGN  |  FORMAL CORRESPONDENCE
Scroll Prev Top Next More

sa-17(3)

developer security architecture and design  | formal correspondence

 

assessment objective:

Determine if the organization requires the developer of the information system, system component, or information system service to:

sa-17(3)(a)

produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of:

sa-17(3)(a)[1]

exceptions;

sa-17(3)(a)[2]

error messages;

sa-17(3)(a)[3]

effects;

sa-17(3)(b)

show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;

sa-17(3)(c)

show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;

sa-17(3)(d)

show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and

sa-17(3)(e)

describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; enterprise architecture policy; formal policy model; procedures addressing developer security architecture and design specification for the information system;  solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; formal top-level specification documentation; information system security architecture and design documentation; information system design documentation; information system configuration settings and associated documentation; documentation describing security-relevant hardware, software and firmware mechanisms not addressed in the formal top-level specification documentation; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with security architecture and design responsibilities].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056