SA-17(2)

Requirement
Require the developer of the system, system component, or system service to:
1. Define security-relevant hardware, software, and firmware; and
2. Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.

Discussion

The security-relevant hardware, software, and firmware represent the portion of the system, component, or service that is trusted to perform correctly to maintain required security properties.

Title

Developer Security and Privacy Architecture and Design | Security-relevant Components
Family

System and Services Acquisition
NIST 800-53B Baseline(s)

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: System and services acquisition policy; enterprise architecture policy; procedures addressing developer security architecture and design specifications for the system; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; list of security-relevant hardware, software, and firmware components; documented rationale of completeness regarding definitions provided for security-relevant hardware, software, and firmware; system security plan; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developers; organizational personnel with information security architecture and design responsibilities].

ID	Assessment Objectives
SA-17(02)(a)[01]	the developer of the system, system component, or system service is required to define security-relevant hardware;
SA-17(02)(a)[02]	the developer of the system, system component, or system service is required to define security-relevant software;
SA-17(02)(a)[03]	the developer of the system, system component, or system service is required to define security-relevant firmware;
SA-17(02)(b)	the developer of the system, system component, or system service is required to provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!