Navigate

SA-17 (2)

SA-17 (2): Security-Relevant Components

The organization requires the developer of the information system, system component, or information system service to:

SA-17 (2)(a): Define security-relevant hardware, software, and firmware; and

SA-17 (2)(b): Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.

Supplemental

Security-relevant hardware, software, and firmware represent the portion of the information system, component, or service that must be trusted to perform correctly in order to maintain required security properties.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Cross Domain (Access), Cross Domain (Multilevel), Cross Domain (Transfer)

Related Controls

The controls below (if any) were marked by NIST as being related to SA-17 (2).

Control	Description
SA-5	The organization: SA-5a.: Obtains administrator documentation for the information system, system component, or information system service that describes: SA-5a.1.: Secure configuration, installation, and operation of the system, component, or service; SA-5a.2.: Effective use and maintenance of security functions/mechanisms; and SA-5a.3.: Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; SA-5b.: Obtains user documentation for the information system, system component, or information system service that describes: SA-5b.1.: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; SA-5b.2.: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and SA-5b.3.: User responsibilities in maintaining the security of the system, component, or service; SA-5c.: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response; SA-5d.: Protects documentation as required, in accordance with the risk management strategy; and SA-5e.: Distributes documentation to [Assignment: organization-defined personnel or roles].

Control

Description

SA-5

The organization:

SA-5a.: Obtains administrator documentation for the information system, system component, or information system service that describes:
- SA-5a.1.: Secure configuration, installation, and operation of the system, component, or service;
- SA-5a.2.: Effective use and maintenance of security functions/mechanisms; and
- SA-5a.3.: Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

SA-5b.: Obtains user documentation for the information system, system component, or information system service that describes:
- SA-5b.1.: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
- SA-5b.2.: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
- SA-5b.3.: User responsibilities in maintaining the security of the system, component, or service;

SA-5c.: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response;

SA-5d.: Protects documentation as required, in accordance with the risk management strategy; and

SA-5e.: Distributes documentation to [Assignment: organization-defined personnel or roles].

Enhancements

The controls below (if any) add on to the requirements of SA-17 (2).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-17 (2).

CCI	Definition
CCI-003301	The organization requires the developer of the information system, system component, or information system service to define security-relevant hardware.
CCI-003302	The organization requires the developer of the information system, system component, or information system service to define security-relevant hardware.
CCI-003303	The organization requires the developer of the information system, system component, or information system service to define security-relevant software.
CCI-003304	The organization requires the developer of the information system, system component, or information system service to define security-relevant firmware.
CCI-003305	The organization requires the developer of the information system, system component, or information system service to provide a rationale that the definition for security-relevant hardware is complete.
CCI-003306	The organization requires the developer of the information system, system component, or information system service to provide a rationale that the definition for security-relevant software is complete.
CCI-003307	The organization requires the developer of the information system, system component, or information system service to provide a rationale that the definition for security-relevant firmware is complete.