CCI-000664

Apply organization-defined systems security and privacy engineering principles in the specification of the system and system components.

Implementation Guidance

Determine if: - [SA-08_ODP[01]; systems security engineering principles are defined] are applied in the specification of the system and system components. - [SA-08_ODP[01]; systems security engineering principles are defined] are applied in the design of the system and system components. - [SA-08_ODP[01]; systems security engineering principles are defined] are applied in the development of the system and system components. - [SA-08_ODP[01]; systems security engineering principles are defined] are applied in the implementation of the system and system components. - [SA-08_ODP[01]; systems security engineering principles are defined] are applied in the modification of the system and system components. - [SA-08_ODP[02]; privacy engineering principles are defined] are applied in the specification of the system and system components. - [SA-08_ODP[02]; privacy engineering principles are defined] are applied in the design of the system and system components. - [SA-08_ODP[02]; privacy engineering principles are defined] are applied in the development of the system and system components. - [SA-08_ODP[02]; privacy engineering principles are defined] are applied in the implementation of the system and system components. - [SA-08_ODP[02]; privacy engineering principles are defined] are applied in the modification of the system and system components.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; assessment and authorization procedures; procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers]. Test: [SELECT FROM: Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification; mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification].

The controls below (if any) were marked by NIST as being related to CCI-000664.