{"id":1814,"date":"2024-08-19T16:39:18","date_gmt":"2024-08-19T16:39:18","guid":{"rendered":"https:\/\/www.tarleton.edu\/security-controls-catalog\/?page_id=1814"},"modified":"2024-09-05T00:39:40","modified_gmt":"2024-09-05T00:39:40","slug":"sa-8-security-and-privacy-engineering-principles","status":"publish","type":"page","link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/system-and-services-acquisition-sa\/sa-8-security-and-privacy-engineering-principles\/","title":{"rendered":"SA-8: Security and Privacy Engineering Principles"},"content":{"rendered":"\n<h1 class=\"wp-block-heading has-large-font-size\">SA-8: Security and Privacy Engineering Principles<\/h1>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>NIST Baseline: <\/strong>Low&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>DIR Required By:<\/strong> &nbsp;07\/20\/2023&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>Review Date: \u00a0<\/strong>08\/08\/2024\u00a0<\/h2>\n\n\n\n<ul class=\"wp-block-list its-nested-list\">\n<li>Information resource custodians should apply system security and privacy engineering principles commensurate with a system\u2019s risks and criticality.&nbsp; These should be applied throughout the system\u2019s lifecycle: specification, design, development, implementation, and modification.&nbsp;&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>Security is everyone\u2019s job. Developers, operations, owners, custodians, and security personnel should be empowered to manage security risks together in each phase of the lifecycle.&nbsp;<\/li>\n\n\n\n<li>Communication needs to be fast, smooth, and effective to ensure timely identification and resolution of security risks.&nbsp;<\/li>\n\n\n\n<li>Implement the security design principle of:&nbsp;\n<ul class=\"wp-block-list\">\n<li>Clear abstractions&nbsp;<\/li>\n\n\n\n<li>Least common mechanism&nbsp;<\/li>\n\n\n\n<li>Modularity in layering&nbsp;<\/li>\n\n\n\n<li>Partially ordered dependencies&nbsp;&nbsp;<\/li>\n\n\n\n<li>Efficiently mediated access&nbsp;<\/li>\n\n\n\n<li>Minimized sharing&nbsp;<\/li>\n\n\n\n<li>Reduced complexity&nbsp;<\/li>\n\n\n\n<li>Secure evolvability&nbsp;<\/li>\n\n\n\n<li>Trusted components&nbsp;<\/li>\n\n\n\n<li>Hierarchal trust&nbsp;<\/li>\n\n\n\n<li>Inverse modification threshold&nbsp;<\/li>\n\n\n\n<li>Hierarchal protection&nbsp;<\/li>\n\n\n\n<li>Minimized security elements&nbsp;<\/li>\n\n\n\n<li>Lease privilege&nbsp;<\/li>\n\n\n\n<li>Predicate permissions&nbsp;<\/li>\n\n\n\n<li>Self-reliant trustworthiness&nbsp;<\/li>\n\n\n\n<li>Secure distributed composition&nbsp;<\/li>\n\n\n\n<li>Trusted communications channel&nbsp;<\/li>\n\n\n\n<li>Continuous protection&nbsp;<\/li>\n\n\n\n<li>Secure metadata management&nbsp;<\/li>\n\n\n\n<li>Self-analysis&nbsp;&nbsp;<\/li>\n\n\n\n<li>Accountability and traceability&nbsp;<\/li>\n\n\n\n<li>Secure defaults&nbsp;<\/li>\n\n\n\n<li>Secure failure and recovery&nbsp;<\/li>\n\n\n\n<li>Economic security&nbsp;<\/li>\n\n\n\n<li>Performance security&nbsp;<\/li>\n\n\n\n<li>Human factored security&nbsp;<\/li>\n\n\n\n<li>Acceptable security&nbsp;<\/li>\n\n\n\n<li>Repeatable and documented procedures&nbsp;<\/li>\n\n\n\n<li>Procedural rigor&nbsp;<\/li>\n\n\n\n<li>Secure system modification&nbsp;<\/li>\n\n\n\n<li>Sufficient documentation&nbsp;<\/li>\n\n\n\n<li>Minimization&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>References\/Additional Resources<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-88\/pdf\/STATUTE-88-Pg1896.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">PRIVACT<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A130\/a130revised.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">OMB A-130<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.FIPS.199\" target=\"_blank\" rel=\"noreferrer noopener\">FIPS 199<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.FIPS.200\" target=\"_blank\" rel=\"noreferrer noopener\">FIPS 200<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-37r2\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-37<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-53Ar4\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-53A<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v1r1\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-60-1<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v2r1\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-60-2<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v1\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-160-1<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.IR.8062\" target=\"_blank\" rel=\"noreferrer noopener\">IR 8062<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SA-8: Security and Privacy Engineering Principles NIST Baseline: Low&nbsp; DIR Required By: &nbsp;07\/20\/2023&nbsp; Review Date: \u00a008\/08\/2024\u00a0 References\/Additional Resources PRIVACT&nbsp; OMB A-130&nbsp; FIPS 199&nbsp; FIPS 200&nbsp; SP 800-37&nbsp; SP 800-53A&nbsp; SP &#8230;<\/p>\n","protected":false},"author":1,"featured_media":580,"parent":1975,"menu_order":6,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","footnotes":""},"class_list":["post-1814","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"coauthors":[],"author_meta":{"author_link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/author\/brian-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-3\/","display_name":"brian"},"relative_dates":{"created":"Posted 2 years ago","modified":"Updated 2 years ago"},"absolute_dates":{"created":"Posted on August 19, 2024","modified":"Updated on September 5, 2024"},"absolute_dates_time":{"created":"Posted on August 19, 2024 4:39 pm","modified":"Updated on September 5, 2024 12:39 am"},"featured_img_caption":"","featured_img":false,"series_order":"","_links":{"self":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1814","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/comments?post=1814"}],"version-history":[{"count":0,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1814\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1975"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/media?parent=1814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}