Navigate

CCI-003328

CCI-003328 Definition

Require the developer of the system, system component, or system service to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if the developer of the system, system component, or system service is required to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; enterprise architecture policy; formal policy model; procedures addressing developer security architecture and design specifications for the system; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; informal, descriptive top-level specification documentation; system security architecture and design documentation; system design documentation; system configuration settings and associated documentation; documentation describing security-relevant hardware, software, and firmware mechanisms not addressed in the informal, descriptive top-level specification documentation; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with information security architecture and design responsibilities].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003328.

Control	Description
SA-17(4)	Require the developer of the system, system component, or system service to: (a): Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; (b): Show via [one of "informal demonstration, convincing argument with formal methods as feasible"] that the descriptive top-level specification is consistent with the formal policy model; (c): Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; (d): Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and (e): Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware.

Control

Description

SA-17(4)

Require the developer of the system, system component, or system service to:

(a): Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;

(b): Show via [one of "informal demonstration, convincing argument with formal methods as feasible"] that the descriptive top-level specification is consistent with the formal policy model;

(c): Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;

(d): Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and

(e): Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware.