Navigate

SA-17(2)

SA-17(2): Security-relevant Components

Require the developer of the system, system component, or system service to:

(a): Define security-relevant hardware, software, and firmware; and

(b): Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.

Supplemental

The security-relevant hardware, software, and firmware represent the portion of the system, component, or service that is trusted to perform correctly to maintain required security properties.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
CDS - Access, CDS - Multilevel, CDS - Transfer

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SA-17(2).

Control	Description
AC-25	Implement a reference monitor for [access control policies for which a reference monitor is implemented are defined;] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.
SA-5	a: Obtain or develop administrator documentation for the system, system component, or system service that describes: 1: Secure configuration, installation, and operation of the system, component, or service; 2: Effective use and maintenance of security and privacy functions and mechanisms; and 3: Known vulnerabilities regarding configuration and use of administrative or privileged functions; b: Obtain or develop user documentation for the system, system component, or system service that describes: 1: User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; 2: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and 3: User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; c: Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;] in response; and d: Distribute documentation to [personnel or roles to distribute system documentation to is/are defined;].

Control

Description

AC-25

Implement a reference monitor for [access control policies for which a reference monitor is implemented are defined;] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.

SA-5

a: Obtain or develop administrator documentation for the system, system component, or system service that describes:
- 1: Secure configuration, installation, and operation of the system, component, or service;
- 2: Effective use and maintenance of security and privacy functions and mechanisms; and
- 3: Known vulnerabilities regarding configuration and use of administrative or privileged functions;

b: Obtain or develop user documentation for the system, system component, or system service that describes:
- 1: User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;
- 2: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and
- 3: User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;

c: Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;] in response; and

d: Distribute documentation to [personnel or roles to distribute system documentation to is/are defined;].

Enhancements

The controls below (if any) add on to the requirements of SA-17(2).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-17(2).

CCI	Definition
CCI-003301	Require the developer of the system, system component, or system service to define security-relevant hardware.
CCI-003303	Require the developer of the system, system component, or system service to define security-relevant software.
CCI-003304	Require the developer of the system, system component, or system service to define security-relevant firmware.
CCI-003305	Require the developer of the system, system component, or system service to provide a rationale that the definition for security-relevant hardware is complete.
CCI-003306	Require the developer of the system, system component, or system service to provide a rationale that the definition for security-relevant software is complete.
CCI-003307	Require the developer of the system, system component, or system service to provide a rationale that the definition for security-relevant firmware is complete.