CCI-004756

Implement the security design principle of self-analysis in organization-defined systems or system components.

Implementation Guidance

Determine if [SA-08(21)_ODP; systems or system components that implement the security design principle of self-analysis are defined] implement the security design principle of self-analysis.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of self-analysis used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Organizational processes for applying the security design principle of self-analysis in system specification, design, development, implementation, and modification; mechanisms supporting the application of the security design principle of self-analysis in system specification, design, development, implementation, and modification].

The controls below (if any) were marked by NIST as being related to CCI-004756.