SA-8: Security and Privacy Engineering Principles
NIST Baseline: Low
DIR Required By: 07/20/2023
Review Date: 08/08/2024
- Information resource custodians should apply system security and privacy engineering principles commensurate with a system’s risks and criticality. These should be applied throughout the system’s lifecycle: specification, design, development, implementation, and modification.
- Security is everyone’s job. Developers, operations, owners, custodians, and security personnel should be empowered to manage security risks together in each phase of the lifecycle.
- Communication needs to be fast, smooth, and effective to ensure timely identification and resolution of security risks.
- Implement the security design principle of:
- Clear abstractions
- Least common mechanism
- Modularity in layering
- Partially ordered dependencies
- Efficiently mediated access
- Minimized sharing
- Reduced complexity
- Secure evolvability
- Trusted components
- Hierarchal trust
- Inverse modification threshold
- Hierarchal protection
- Minimized security elements
- Lease privilege
- Predicate permissions
- Self-reliant trustworthiness
- Secure distributed composition
- Trusted communications channel
- Continuous protection
- Secure metadata management
- Self-analysis
- Accountability and traceability
- Secure defaults
- Secure failure and recovery
- Economic security
- Performance security
- Human factored security
- Acceptable security
- Repeatable and documented procedures
- Procedural rigor
- Secure system modification
- Sufficient documentation
- Minimization