Navigate

PL-8 (1)

PL-8 (1): Defense-In-Depth

The organization designs its security architecture using a defense-in-depth approach that:

PL-8 (1)(a): Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and

PL-8 (1)(b): Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner.

Supplemental

Organizations strategically allocate security safeguards (procedural, technical, or both) in the security architecture so that adversaries have to overcome multiple safeguards to achieve their objective. Requiring adversaries to defeat multiple mechanisms makes it more difficult to successfully attack critical information resources (i.e., increases adversary work factor) and also increases the likelihood of detection. The coordination of allocated safeguards is essential to ensure that an attack that involves one safeguard does not create adverse unintended consequences (e.g., lockout, cascading alarms) by interfering with another safeguard. Placement of security safeguards is a key activity. Greater asset criticality or information value merits additional layering. Thus, an organization may choose to place anti-virus software at organizational boundary layers, email/web servers, notebook computers, and workstations to maximize the number of related safeguards adversaries must penetrate before compromising the information and information systems.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to PL-8 (1).

Control	Description
SC-29	The organization employs a diverse set of information technologies for [Assignment: organization-defined information system components] in the implementation of the information system.
SC-36	The organization distributes [Assignment: organization-defined processing and storage] across multiple physical locations.

Enhancements

The controls below (if any) add on to the requirements of PL-8 (1).

Control	Description
No controls

Related CCIs

The CCIs below are tied to PL-8 (1).

CCI	Definition
CCI-003081	The organization designs its security architecture using a defense-in-depth approach that allocates organization-defined security safeguards to organization-defined locations.
CCI-003082	The organization designs its security architecture using a defense-in-depth approach that allocates organization-defined security safeguards to organization-defined architectural layers.
CCI-003083	The organization defines the security safeguards to be allocated to organization-defined locations.
CCI-003084	The organization defines the security safeguards to be allocated to organization-defined architectural layers.
CCI-003085	The organization defines the locations to which it allocates organization-defined security safeguards in the security architecture.
CCI-003086	The organization defines the architectural layers to which it allocates organization-defined security safeguards in the security architecture.
CCI-003087	The organization designs its security architecture using a defense-in-depth approach that ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner.