NIST 800-53 Rev. 5

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
PT
RA
SA
SC
SI
SR
SA-1
SA-2
SA-3
SA-3(1)
SA-3(2)
SA-3(3)
SA-4
SA-4(1)
SA-4(2)
SA-4(3)
SA-12
SA-4(5)
SA-4(6)
SA-4(7)
SA-4(8)
SA-4(9)
SA-4(10)
SA-4(11)
SA-4(12)
SA-5
SA-12(1)
SA-12(10)
SA-12(11)
SA-12(12)
SA-12(13)
SA-12(14)
SA-12(15)
SA-8
SA-8(1)
SA-8(2)
SA-8(3)
SA-8(4)
SA-8(5)
SA-8(6)
SA-8(7)
SA-8(8)
SA-8(9)
SA-8(10)
SA-8(11)
SA-8(12)
SA-8(13)
SA-8(14)
SA-8(15)
SA-8(16)
SA-8(17)
SA-8(18)
SA-8(19)
SA-8(20)
SA-8(21)
SA-8(22)
SA-8(23)
SA-8(24)
SA-8(25)
SA-8(26)
SA-8(27)
SA-8(28)
SA-8(29)
SA-8(30)
SA-8(31)
SA-8(32)
SA-8(33)
SA-9
SA-9(1)
SA-9(2)
SA-9(3)
SA-9(4)
SA-9(5)
SA-9(6)
SA-9(7)
SA-9(8)
SA-10
SA-10(1)
SA-10(2)
SA-10(3)
SA-10(4)
SA-10(5)
SA-10(6)
SA-10(7)
SA-11
SA-11(1)
SA-11(2)
SA-11(3)
SA-11(4)
SA-11(5)
SA-11(6)
SA-11(7)
SA-11(8)
SA-11(9)
SA-12(2)
SA-12(3)
SA-12(4)
SA-12(5)
SA-12(6)
SA-12(7)
SA-12(8)
SA-12(9)
SA-13
SA-14
SA-14(1)
SA-15(4)
SA-15(9)
SA-18
SA-18(1)
SA-18(2)
SA-19
SA-19(1)
SA-19(2)
SA-15
SA-15(1)
SA-15(2)
SA-15(3)
SA-19(3)
SA-15(5)
SA-15(6)
SA-15(7)
SA-15(8)
SA-19(4)
SA-15(10)
SA-15(11)
SA-15(12)
SA-16
SA-17
SA-17(1)
SA-17(2)
SA-17(3)
SA-17(4)
SA-17(5)
SA-17(6)
SA-17(7)
SA-17(8)
SA-17(9)
SA-21(1)
SA-22(1)
SA-4(4)
SA-5(1)
SA-5(2)
SA-5(3)
SA-5(4)
SA-5(5)
SA-20
SA-21
SA-6
SA-22
SA-7
SA-23

SA-17: Developer Security and Privacy Architecture and Design

Control Text:

Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that: a. Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture; b. Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and c. Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection.

Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, PL-8 is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and PL-8 is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. ISO 15408-2, ISO 15408-3, and SP 800-160-1 provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing.

Related Controls