Navigate

CCI-003075

CCI-003075 Definition

Develop security architectures for the system that describe any assumptions about, and dependencies on, external systems and services.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - a security architecture for the system describes any assumptions about and dependencies on external systems and services. - a privacy architecture for the system describes any assumptions about and dependencies on external systems and services.

Validation Procedures

Examine: [SELECT FROM: Security and privacy planning policy; procedures addressing information security and privacy architecture development; procedures addressing information security and privacy architecture reviews and updates; enterprise architecture documentation; information security and privacy architecture documentation; system security plan; privacy plan; security and privacy CONOPS for the system; records of information security and privacy architecture reviews and updates; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with security and privacy planning and plan implementation responsibilities; organizational personnel with information security and privacy architecture development responsibilities; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for developing, reviewing, and updating the information security and privacy architecture; mechanisms supporting and/or implementing the development, review, and update of the information security and privacy architecture].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003075.

Control	Description
PL-8	a: Develop security and privacy architectures for the system that: 1: Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; 2: Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; 3: Describe how the architectures are integrated into and support the enterprise architecture; and 4: Describe any assumptions about, and dependencies on, external systems and services; b: Review and update the architectures [frequency for review and update to reflect changes in the enterprise architecture;] to reflect changes in the enterprise architecture; and c: Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.

Control

Description

PL-8

a: Develop security and privacy architectures for the system that:
- 1: Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;
- 2: Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;
- 3: Describe how the architectures are integrated into and support the enterprise architecture; and
- 4: Describe any assumptions about, and dependencies on, external systems and services;

b: Review and update the architectures [frequency for review and update to reflect changes in the enterprise architecture;] to reflect changes in the enterprise architecture; and

c: Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.