CCI-003337

Require the developer of the system, system component, or system service to internally structure the security-relevant hardware with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics.

Implementation Guidance

Determine if the developer of the system, system component, or system service is required to internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; enterprise architecture policy; procedures addressing developer security architecture and design specifications for the system; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system design documentation; system security architecture documentation; system configuration settings and associated documentation; developer documentation describing the design and structure of security-relevant hardware, software, and firmware components; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with information security architecture and design responsibilities].

The controls below (if any) were marked by NIST as being related to CCI-003337.