|
controlSA-8
Security and Privacy Engineering Principles (SA-8)
Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [organization-defined].
Security Baselines
LOWMODERATEHIGH
acquisitionsdlcservicessupply-chain
Why These Connect
Baselined In3
This control is included in the linked security baseline (LOW, MODERATE, or HIGH).
Supports119
These related controls work together — a change to one may affect the others.
Enhances33
These enhancements add specific capabilities or refinements to the base control.
Related Controls(65)
AC-5Separation of Duties (AC-5)
MH
AC-6Least Privilege (AC-6)MH
AC-25Reference Monitor (AC-25)AT-2Literacy Training and Awareness (AT-2)LMH
AT-3Role-based Training (AT-3)LMH
AU-2Event Logging (AU-2)LMH
AU-3Content of Audit Records (AU-3)LMH
AU-6Audit Record Review, Analysis, and Reporting (AU-6)LMH
AU-9Protection of Audit Information (AU-9)LMH
AU-10Non-repudiation (AU-10)H
AU-12Audit Record Generation (AU-12)LMH
CA-7Continuous Monitoring (CA-7)LMH
CM-1Policy and Procedures (CM-1)LMH
CM-2Baseline Configuration (CM-2)LMH
CM-3Configuration Change Control (CM-3)MH
CM-4Impact Analyses (CM-4)LMH
CM-6Configuration Settings (CM-6)LMH
CM-7Least Functionality (CM-7)LMH
CM-12Information Location (CM-12)MH
CP-10System Recovery and Reconstitution (CP-10)LMH
CP-12Safe Mode (CP-12)IA-2Identification and Authentication (Organizational Users) (IA-2)LMH
IR-4Incident Handling (IR-4)LMH
PL-8Security and Privacy Architectures (PL-8)MH
PL-10Baseline Selection (PL-10)LMH
PL-11Baseline Tailoring (PL-11)LMH
PM-7Enterprise Architecture (PM-7)PM-25Minimization of Personally Identifiable Information Used in Testing, Training, and Research (PM-25)RA-2Security Categorization (RA-2)LMH
RA-3Risk Assessment (RA-3)LMH
RA-9Criticality Analysis (RA-9)MH
SA-1Policy and Procedures (SA-1)LMH
SA-3System Development Life Cycle (SA-3)LMH
SA-4Acquisition Process (SA-4)LMH
SA-5System Documentation (SA-5)LMH
SA-15Development Process, Standards, and Tools (SA-15)MH
SA-17Developer Security and Privacy Architecture and Design (SA-17)H
SA-20Customized Development of Critical Components (SA-20)SC-2Separation of System and User Functionality (SC-2)MH
SC-3Security Function Isolation (SC-3)H
SC-32System Partitioning (SC-32)SC-39Process Isolation (SC-39)LMH
SR-2Supply Chain Risk Management Plan (SR-2)LMH
SR-3Supply Chain Controls and Processes (SR-3)LMH
SR-4Provenance (SR-4)SR-5Acquisition Strategies, Tools, and Methods (SR-5)LMH
SA-10Developer Configuration Management (SA-10)MH
SA-11Developer Testing and Evaluation (SA-11)MH
SA-23Specialization (SA-23)SA-24Design For Cyber Resiliency (SA-24)SC-1Policy and Procedures (SC-1)LMH
SC-4Information in Shared System Resources (SC-4)MH
SC-7Boundary Protection (SC-7)LMH
SC-8Transmission Confidentiality and Integrity (SC-8)MH
SC-12Cryptographic Key Establishment and Management (SC-12)LMH
SC-13Cryptographic Protection (SC-13)LMH
SC-24Fail in Known State (SC-24)H
SC-31Covert Channel Analysis (SC-31)SC-49Hardware-enforced Separation and Policy Enforcement (SC-49)SC-50Software-enforced Separation and Policy Enforcement (SC-50)SI-1Policy and Procedures (SI-1)LMH
SI-2Flaw Remediation (SI-2)LMH
SI-7Software, Firmware, and Information Integrity (SI-7)MH
SI-12Information Management and Retention (SI-12)LMH
SI-13Predictable Failure Prevention (SI-13)Control Enhancements(33)
SA-8(1)Clear Abstractions (SA-8(1))SA-8(2)Least Common Mechanism (SA-8(2))SA-8(3)Modularity and Layering (SA-8(3))SA-8(4)Partially Ordered Dependencies (SA-8(4))SA-8(5)Efficiently Mediated Access (SA-8(5))SA-8(6)Minimized Sharing (SA-8(6))SA-8(7)Reduced Complexity (SA-8(7))SA-8(8)Secure Evolvability (SA-8(8))SA-8(9)Trusted Components (SA-8(9))SA-8(10)Hierarchical Trust (SA-8(10))SA-8(11)Inverse Modification Threshold (SA-8(11))SA-8(12)Hierarchical Protection (SA-8(12))SA-8(13)Minimized Security Elements (SA-8(13))SA-8(14)Least Privilege (SA-8(14))SA-8(15)Predicate Permission (SA-8(15))SA-8(16)Self-reliant Trustworthiness (SA-8(16))SA-8(17)Secure Distributed Composition (SA-8(17))SA-8(18)Trusted Communications Channels (SA-8(18))SA-8(19)Continuous Protection (SA-8(19))SA-8(20)Secure Metadata Management (SA-8(20))SA-8(21)Self-analysis (SA-8(21))SA-8(22)Accountability and Traceability (SA-8(22))SA-8(23)Secure Defaults (SA-8(23))SA-8(24)Secure Failure and Recovery (SA-8(24))SA-8(25)Economic Security (SA-8(25))SA-8(26)Performance Security (SA-8(26))SA-8(27)Human Factored Security (SA-8(27))SA-8(28)Acceptable Security (SA-8(28))SA-8(29)Repeatable and Documented Procedures (SA-8(29))SA-8(30)Procedural Rigor (SA-8(30))SA-8(31)Secure System Modification (SA-8(31))SA-8(32)Sufficient Documentation (SA-8(32))SA-8(33)Minimization (SA-8(33))