The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [one or more of security-relevant external system interfaces/high-level design/low-level design/source code or hardware schematics/ {{ insert: param, sa-4.2_prm_2 }} ] at [organization-defined level of detail].
Supplemental
Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system.