SA-17 Developer Security and Privacy Architecture and Design
System and Services Acquisition
Description
Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that: a. Is consistent with the organization's security and privacy architecture that is an integral part of the organization's enterprise architecture; b. Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and c. Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection.
Supplemental Guidance
Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, PL-08 is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture.
Changes from Rev 4
No significant changes from Rev 4.
MITRE ATT&CK Techniques (7)
ATT&CK v16.1Techniques mitigated by this control, mapped via CTID.