← Controls / SA

SA-08 Security Engineering Principles

System and Services Acquisition

Low Moderate High

Description

The organization designs and implements the information system using security engineering principles.

Supplemental Guidance

NIST Special Publication 800-27 provides guidance on engineering principles for information system security. The application of security engineering principles is primarily targeted at new development information systems or systems undergoing major upgrades and is integrated into the system development life cycle. For legacy information systems, the organization applies security engineering principles to system upgrades and modifications, to the extent feasible, given the current state of the hardware, software, and firmware components within the system.

Changes from Rev 4

Title changed from 'Security Engineering Principles' Control text adds privacy and system components New parameter requires specifying applicable systems security and privacy engineering principles Discussion expanded to explain benefits Incorporates withdrawn control SA-13

Enhancements

(0) None.

MITRE ATT&CK Techniques (20)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 5 Execution 1 Persistence 5 Privilege Escalation 6 Defense Evasion 7 Discovery 1 Collection 3 Exfiltration 7

Compliance Mappings

ISO 27001:2022

A.8.25A.8.26A.8.27

ISO 27002:2022

5.88.258.268.27

COBIT 2019

APO03APO04BAI02BAI03

CIS Controls v8

CIS 16CIS 16.10CIS 16.11CIS 16.14

NIST CSF 2.0

PR.PS-06

SOC 2 TSC

CC2.2CC3.2CC5.1CC5.2CC6.1-POF2CC6.1-POF7CC6.7-POF1CC7.1CC7.1-POF1CC8.1

PCI DSS v4.0.1

6.2

CSA CCM v4

AIS-01AIS-02AIS-04DSP-07

CSA AICM v1

AIS-01AIS-02AIS-04AIS-08AIS-10AIS-14AIS-15DSP-07DSP-20MDS-01MDS-09MDS-10

ISO 42001:2023

A.6.1.2A.6.1.3

NIS2 Directive

Art. 21(2)(e)

MAS TRM

56

ANSSI

Hygiene.23Hygiene.36SecNumCloud.15.3

FINMA Circular 2023/1

IV.A(28)IV.A(29)IV.B.d(59)

OSFI B-13

B-13.2.2B-13.3.2

EU GDPR

Art.25(1)Art.25(2)Rec.78

EU DORA

Art.7(1)Art.9(1)

BIO2

5.88.258.268.27

RBI CSF

Annex1.6ITGRCA.12

FISC Security Guidelines

FISC.O10FISC.O13FISC.T1FISC.T6

HKMA TM-E-1

TME1.3.1TME1.3.2TME1.7.3

MLPS 2.0

8.1.9.4

DNB Good Practice

DNB.2.1DNB.3.2

EU CRA

CRA.I.1CRA.I.2bCRA.I.2gCRA.I.2j

SAMA CSF

1.43.2

NCA ECC

1-62-142-35-1

UAE IA

T10

CBB TM

TM-7

Qatar NIA

SD

CBUAE

CR-6

CBE CSF

CTO-4

SA JS2

JS2-SA

CBN CSF

Part4Part5.1Part5.2

BoG CISD

CISD-IXCISD-SDLC

BoM CTRM

3.13.11

IOSCO Cyber Resilience

LE-3PROT-6

BCBS 239

Principle 2Principle 6

CPMI-IOSCO PFMI

PFMI.P17PFMI.P3

FFIEC IS

II.C.17II.C.2II.C.3

NYDFS 500

500.8

ECB CROE

CROE.2.3.4

EBA ICT Guidelines

3.4.43.6.13.6.2

SEBI CSCRF

PR.ASPR.IP

BOT Cyber Resilience

Ch2.5Ch6.2

CMMC 2.0

SC

TSA Pipeline SD

SD-2 Sec F

IEEE 1686-2022

5.10

DOE C2M2 v2.1

ARCHITECTURE

API 1164

Sec 5

IAEA NSS 17-T

Sec 5.1

PCI PTS v6

F

FIPS 140-3

FIPS 140-3 §7.2

Common Criteria

CC Part 1 — PPCC Part 1 — STCC Part 3 — SAR

Solvency II

EIOPA-ICT-4.11

Lloyd's Minimum Standards

BP2.1MS1.1

NAIC Insurance Data Security

4-config

PRA SS1/23

P3.1

FCA SYSC 13

SYSC 13.7.1SYSC 13.8.4

HITRUST CSF v11

09.b10.a10.d

FDA 21 CFR Part 11

§11.10(a)

FDA Cybersecurity Guidance

SPDF-1SPDF-3TM-2TM-3

ISO 27799

14.114.2

OWASP MASVS v2.1

MASVS-CRYPTO-1MASVS-CRYPTO-2MASVS-PRIVACY-2MASVS-RESILIENCE-2MASVS-RESILIENCE-3MASVS-RESILIENCE-4

MiCA

Art.68(1)Art.68(5)Art.69(1)Art.70(1)Art.72(1)Art.62(5)

Basel SCO60

SCO60.2SCO60.14SCO60.21SCO60.51SCO60.52SCO60.64SCO60.65

BSSC Standards

TIS-03KMS-02

SEC Custody (Digital Assets)

SEC-CD-03SEC-CD-06SEC-CD-08

ISO 17799 (legacy)

12.1

COBIT 4.1 (legacy)

AI2.4