CCI-000666

The organization applies information system security engineering principles in the development of the information system.

Implementation Guidance

The organization managing the acquisition/development of the information system (e.g. PM) applies and documents system security engineering (SSE) principles as part of the overall systems engineering process IAW DoDD 5000.01 and DoDI 5000.02. The primary source of general and DoD-specific guidance on SSE can be found in the NIST SP 800-160 - Systems Security Engineering, currently in draft form, and can be found here: http://csrc.nist.gov/publications/PubsSPs.html. Additional guidance can be found in the Defense Acquisition Guidebook (DAG) Chapters 4 and 13, found here: https://dag.dau.mil/. This CCI does not apply to COTS products. The organization managing the acquisition/development of the information system must ensure that the development procedures reflect the system security engineering principles that can be applied to information systems in development, systems undergoing major upgrades and to the extent feasible systems in sustainment. Security engineering principles include: 1. Developing layered protections; 2. Establishing sound security policy, architecture, and controls as the foundation for design; 3. Incorporating security requirements into all phases of the system development life cycle; 4. Delineating physical and logical security boundaries; 5. Ensuring that system developers are trained on how to design and build secure software; 6. Tailoring security controls and protections to meet system-specific requirements and operational needs; 7. Performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk. Examples of development procedures that should reflect SSE principles are configuration management plans, code review procedures, and coding style guides. Configuration management plans should be IAW CM-9, CCI 001790.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the system development procedures (e.g. configuration management plans, code review procedures, and coding style guides) to ensure that the organization being inspected/assessed applies information system security engineering principles in the development of the information system.

Compelling Evidence

1.) System security plan (SSP). 2.) Design documentation must include system requirements documentation and it must apply information system security principles in development.

The controls below (if any) were marked by NIST as being related to CCI-000666.