SA-17(1)

Requirement
Require the developer of the system, system component, or system service to:
1. Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security and privacy policy] to be enforced; and
2. Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security and privacy policy when implemented.

Discussion

Formal models describe specific behaviors or security and privacy policies using formal languages, thus enabling the correctness of those behaviors and policies to be formally proven. Not all components of systems can be modeled. Generally, formal specifications are scoped to the behaviors or policies of interest, such as nondiscretionary access control policies. Organizations choose the formal modeling language and approach based on the nature of the behaviors and policies to be described and the available tools.

Title

Developer Security and Privacy Architecture and Design | Formal Policy Model
Family

System and Services Acquisition
NIST 800-53B Baseline(s)

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: System and services acquisition policy; system and services acquisition procedures; enterprise architecture policy; enterprise architecture documentation; procedures addressing developer security and privacy architecture and design specifications for the system; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system design documentation; system configuration settings and associated documentation; system security plan; privacy plan; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; system developer].

ID	Assessment Objectives
SA-17(01)(b)[02]	the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational privacy policy when implemented.
SA-17(01)(a)[01]	as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the <SA-17(01)_ODP[01] organizational security policy> to be enforced;
SA-17(01)(a)[02]	as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the <SA-17(01)_ODP[02] organizational privacy policy> to be enforced;
SA-17(01)(b)[01]	the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented;

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!