Navigate

CCI-003324

CCI-003324 Definition

Require the developer of the system, system component, or system service to show via informal demonstration or convincing argument with formal methods as feasible that the descriptive top-level specification is consistent with the formal policy model.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if the developer of the system, system component, or system service is required to show via [SA-17(04)_ODP; one of the following PARAMETER VALUES is selected: {informal demonstration, convincing argument with formal methods as feasible}] that the descriptive top-level specification is consistent with the formal policy model.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; enterprise architecture policy; formal policy model; procedures addressing developer security architecture and design specifications for the system; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; informal, descriptive top-level specification documentation; system security architecture and design documentation; system design documentation; system configuration settings and associated documentation; documentation describing security-relevant hardware, software, and firmware mechanisms not addressed in the informal, descriptive top-level specification documentation; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with information security architecture and design responsibilities].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003324.

Control	Description
SA-17(4)	Require the developer of the system, system component, or system service to: (a): Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; (b): Show via [one of "informal demonstration, convincing argument with formal methods as feasible"] that the descriptive top-level specification is consistent with the formal policy model; (c): Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; (d): Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and (e): Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware.

Control

Description

SA-17(4)

Require the developer of the system, system component, or system service to:

(a): Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;

(b): Show via [one of "informal demonstration, convincing argument with formal methods as feasible"] that the descriptive top-level specification is consistent with the formal policy model;

(c): Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;

(d): Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and

(e): Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware.