Control: The organisation requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:
Developer Security Architecture and Design Supplemental Guidance:
This control is primarily directed at external developers, although it could also be used for internal (in-house) development. In contrast, PL-8 is primarily directed at internal developers to help ensure that organisations develop an information security architecture and such security architecture is integrated or tightly coupled to the enterprise architecture. This distinction is important if/when organisations outsource the development of information systems, information system components, or information system services to external entities, and there is a requirement to demonstrate consistency with the organisation’s enterprise architecture and information security architecture.
Developer Security Architecture and Design Control Enhancements:
SA-17 (1) Developer Security Architecture and Design - Formal Policy Model
The organisation requires the developer of the information system, system component, or information system service to:
- (a) Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organisation-defined elements of organisational security policy] to be enforced; and
- (b) Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organisational security policy when implemented.
Supplemental Guidance: Formal models describe specific behaviours or security policies using formal languages, thus enabling the correctness of those behaviours/policies to be formally proven. Not all components of information systems can be modelled, and generally, formal specifications are scoped to specific behaviours or policies of interest (e.g., non discretionary access control policies). Organisations choose the particular formal modelling language and approach based on the nature of the behaviours/policies to be described and the available tools. Formal modelling tools include, for example, Gypsy and Zed.
SA-17 (2) Developer Security Architecture and Design - Security-relevant components
The organisation requires the developer of the information system, system component, or information system service to:
- (a) Define security-relevant hardware, software, and firmware; and
- (b) Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.
Supplemental Guidance: Security-relevant hardware, software, and firmware represent the portion of the information system, component, or service that must be trusted to perform correctly in order to maintain required security properties.
Related control: SA-5.
SA-17 (3) Developer Security Architecture and Design - Formal correspondence
The organisation requires the developer of the information system, system component, or information system service to:
- (a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
- (b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
- (c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
- (d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
- (e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware.
Supplemental Guidance: Correspondence is an important part of the assurance gained through modelling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present have no impact on the behaviours or policies being modelled. Formal methods can be used to show that the high-level security properties are satisfied by the formal information system description, and that the formal system description is correctly implemented by a description of some lower level, for example a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Consistency between the formal top-level specification and the implementation may require the use of an informal demonstration due to limitations in the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output.
Related control: SA- 5.
SA-17 (4) Developer Security Architecture and Design - Informal correspondence
The organisation requires the developer of the information system, system component, or information system service to:
- (a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
- (b) Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
- (c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
- (d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
- (e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware.
Supplemental Guidance: Correspondence is an important part of the assurance gained through modelling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details present has no impact on the behaviours or policies being modelled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal/informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security- relevant hardware, software, and firmware include, for example, mapping registers and direct memory input/output.
Related control: SA-5.
SA-17 (5) Developer Security Architecture and Design - Conceptually simple design
The organisation requires the developer of the information system, system component, or information system service to:
- (a) Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and
- (b) Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.
Supplemental Guidance: Related control:SC-3.
SA-17 (6) Developer Security Architecture and Design - Structure for testing
The organisation requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing.
Supplemental Guidance: Related control:SA-11.