PL-8(1)

  • Requirement

    Design the security and privacy architectures for the system using a defense-in-depth approach that:

    1. Allocates [Assignment: organization-defined controls] to [Assignment: organization-defined locations and architectural layers]; and
    2. Ensures that the allocated controls operate in a coordinated and mutually reinforcing manner.
  • Discussion

    Organizations strategically allocate security and privacy controls in the security and privacy architectures so that adversaries must overcome multiple controls to achieve their objective. Requiring adversaries to defeat multiple controls makes it more difficult to attack information resources by increasing the work factor of the adversary; it also increases the likelihood of detection. The coordination of allocated controls is essential to ensure that an attack that involves one control does not create adverse, unintended consequences by interfering with other controls. Unintended consequences can include system lockout and cascading alarms. The placement of controls in systems and organizations is an important activity that requires thoughtful analysis. The value of organizational assets is an important consideration in providing additional layering. Defense-in-depth architectural approaches include modularity and layering (see SA-8(3)), separation of system and user functionality (see SC-2), and security function isolation (see SC-3).

More Info

  • Title

    Security and Privacy Architectures | Defense in Depth
  • Family

    Planning
  • NIST 800-53B Baseline(s)

    • Related NIST 800-53 ID

      SC-2;SC-3;SC-29;SC-36

    NIST 800-53A Assessment Guidance

    CMMC Training

    Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!