Requirement text: SC.3.180: Employ architectural designs, software development techniques, and
systems engineering principles that promote effective information security within organizational systems.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Organizations apply systems security engineering principles to new development systems
or systems undergoing major upgrades. For legacy systems, organizations apply systems
security engineering principles to system upgrades and modifications to the extent feasible,
given the current state of hardware, software, and firmware components within those
systems. The application of systems security engineering concepts and principles helps to
develop trustworthy, secure, and resilient systems and system components and reduce the
susceptibility of organizations to disruptions, hazards, and threats. Examples of these
concepts and principles include developing layered protections; establishing security
policies, architecture, and controls as the foundation for design; incorporating security
requirements into the system development life cycle; delineating physical and logical
security boundaries; ensuring that developers are trained on how to build secure software;
and performing threat modeling to identify use cases, threat agents, attack vectors and
patterns, design patterns, and compensating controls needed to mitigate risk. Organizations
that apply security engineering concepts and principles can facilitate the development of
trustworthy, secure systems, system components, and system services; reduce risk to
acceptable levels; and make informed risk-management decisions.
CMMC CLARIFICATION
Familiarity with security engineering principles and their successful application to your
infrastructure will increase the security of your environment. NIST SP 800-160 System
Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of
Trustworthy Secure Systems can serve as a source of security engineering and design
principles.
Organizations need to decide which designs and principles to apply. Some will not be
possible or appropriate for your organization as a whole. Some will not be possible,
applicable, or appropriate for specific systems or components.
Once a decision is made on which designs and principles to apply, they should be applied to
your organization’s policies and security standards. Starting with your baseline
configuration, they should be extended through all layers of the technology stack (e.g.,
hardware, software, firmware) and throughout all the components of your infrastructure.
The application of these chosen designs and principles should drive your organization
towards a secure architecture with the required security capabilities and intrinsic behaviors
present throughout the lifecycle of your technology.
As legacy components in your architecture age, it may become increasingly difficult for those
components to meet security principles and requirements. This should factor into life-cycle
decisions for those components (e.g., replacing legacy hardware, upgrading or re-writing
software, upgrading run-time environments).
Example
You are the security architect responsible for developing strategies to protect data and
harden your organization’s infrastructure. You are included on the team responsible for
performing a major upgrade on a legacy system. You refer to the company’s documented
security engineering principles. Reviewing each, you decide which are appropriate and
applicable. You apply the chosen designs and principles when creating your design for the
upgrade.
You document the security requirements for the software and hardware changes to ensure
the principles are followed. You review the upgrade at critical points in the workflow to
ensure the requirements are met. You assist in updating the policies covering the use of the
upgraded system so user behavior stays aligned with the principles.
References
• NIST SP 800-171 Rev 1 3.13.2
• CIS Controls v7.1 5.1, 5.2, 5.4
• NIST SP 800-53 Rev 4 SA-8