Navigate

SA-17 (3)

SA-17 (3): Formal Correspondence

The organization requires the developer of the information system, system component, or information system service to:

SA-17 (3)(a): Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;

SA-17 (3)(b): Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;

SA-17 (3)(c): Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;

SA-17 (3)(d): Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and

SA-17 (3)(e): Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware.

Supplemental

Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal information system description, and that the formal system description is correctly implemented by a description of some lower level, for example a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Consistency between the formal top-level specification and the implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to SA-17 (3).

Control	Description
SA-5	The organization: SA-5a.: Obtains administrator documentation for the information system, system component, or information system service that describes: SA-5a.1.: Secure configuration, installation, and operation of the system, component, or service; SA-5a.2.: Effective use and maintenance of security functions/mechanisms; and SA-5a.3.: Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; SA-5b.: Obtains user documentation for the information system, system component, or information system service that describes: SA-5b.1.: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; SA-5b.2.: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and SA-5b.3.: User responsibilities in maintaining the security of the system, component, or service; SA-5c.: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response; SA-5d.: Protects documentation as required, in accordance with the risk management strategy; and SA-5e.: Distributes documentation to [Assignment: organization-defined personnel or roles].

Control

Description

SA-5

The organization:

SA-5a.: Obtains administrator documentation for the information system, system component, or information system service that describes:
- SA-5a.1.: Secure configuration, installation, and operation of the system, component, or service;
- SA-5a.2.: Effective use and maintenance of security functions/mechanisms; and
- SA-5a.3.: Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

SA-5b.: Obtains user documentation for the information system, system component, or information system service that describes:
- SA-5b.1.: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
- SA-5b.2.: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
- SA-5b.3.: User responsibilities in maintaining the security of the system, component, or service;

SA-5c.: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response;

SA-5d.: Protects documentation as required, in accordance with the risk management strategy; and

SA-5e.: Distributes documentation to [Assignment: organization-defined personnel or roles].

Enhancements

The controls below (if any) add on to the requirements of SA-17 (3).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-17 (3).

CCI	Definition
CCI-003308	The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware in terms of exceptions, error messages, and effects.
CCI-003309	The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant software in terms of exceptions, error messages, and effects.
CCI-003310	The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects.
CCI-003311	The organization requires the developer of the information system, system component, or information system service to show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model.
CCI-003312	The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware.
CCI-003313	The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant software.
CCI-003314	The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant firmware.
CCI-003315	The organization requires the developer of the information system, system component, or information system service to show that the formal top-level specification is an accurate description of the implemented security-relevant hardware.
CCI-003316	The organization requires the developer of the information system, system component, or information system service to show that the formal top-level specification is an accurate description of the implemented security-relevant software.
CCI-003317	The organization requires the developer of the information system, system component, or information system service to show that the formal top-level specification is an accurate description of the implemented security-relevant firmware.
CCI-003318	The organization requires the developer of the information system, system component, or information system service to describe the security-relevant hardware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware.
CCI-003319	The organization requires the developer of the information system, system component, or information system service to describe the security-relevant software mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant software.
CCI-003320	The organization requires the developer of the information system, system component, or information system service to describe the security-relevant firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant firmware.