The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [one or more of "security-relevant external system interfaces"/"high-level design"/"low-level design"/"source code or hardware schematics"/" {{ insert: param, sa-4.2_prm_2 }} "] at [one of ].
Supplemental
Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system.