CCI-000664

Apply organization-defined systems security and privacy engineering principles in the specification of the system and system components.

Implementation Guidance

The organization managing the acquisition/development of the information system (e.g. PM) applies and documents system security engineering (SSE) principles as part of the overall systems engineering process IAW DoDD 5000.01 and DoDI 5000.02. The primary source of general and DoD-specific guidance on SSE can be found in the NIST SP 800-160 - Systems Security Engineering, currently in draft form, and can be found here: http://csrc.nist.gov/publications/PubsSPs.html. Additional guidance can be found in the Defense Acquisition Guidebook (DAG) Chapters 4 and 13, found here: https://dag.dau.mil/. This CCI does not apply to COTS products. The organization managing the acquisition/development of the information system must ensure that the system requirements documents reflect the system security engineering principles that can be applied to information systems in development, systems undergoing major upgrades and to the extent feasible systems in sustainment. Security engineering principles include: 1. Developing layered protections; 2. Establishing sound security policy, architecture, and controls as the foundation for design; 3. Incorporating security requirements into all phases of the system development life cycle; 4. Delineating physical and logical security boundaries; 5. Ensuring that system developers are trained on how to design and build secure software; 6. Tailoring security controls and protections to meet system-specific requirements and operational needs; 7. Performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the system requirements documents to ensure that the organization being inspected/assessed applies information system security engineering principles in the specification of the information system.

Compelling Evidence

1.) System security plan (SSP). 2.) Design documentation must include system requirements documentation and it must apply information system security principles in specifications.

The controls below (if any) were marked by NIST as being related to CCI-000664.