NIST SP 800-171 & CMMC 2.0 3.13.2 Requirement:
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
NIST SP 800-171 & CMMC 2.0 3.13.2 Requirement Explanation:
Establishing and adhering to security engineering principles increases the security of your environment. Requiring system administrators and security staff to follow your company's security principles increases accountability.
Example NIST SP 800-171 & CMMC 2.0 3.13.2 Implementation:
NIST Special Publication 800-160 covers the topic of security engineering. It contains a list of "security design principles" of which you need to select some to follow. Document a policy requiring the implementation of the security engineering principles you selected from NIST SP 800-160. Here are a few from NIST SP 800-160 that you can use: "Reduced Complexity: the system design should be as simple and small as possible. A small and simple design will be more understandable, more analyzable, and less prone to error. Least Privilege: each component should be allocated sufficient privileges to accomplish its specified functions, but no more. Trusted Communication Channels: restrict access to communication channels and employ end-to-end protections for the data transmitted over the communication channel. Continuous Protection: all components and data used to enforce the security policy must have uninterrupted protection that is consistent with the security policy and the security architecture assumptions. Accountability and Traceability: it must be possible to trace security-relevant actions (i.e., subject-object interactions) to the entity on whose behalf the action is being taken. Secure Defaults: the default configuration of a system (to include its constituent subsystems, components, and mechanisms) reflects a restrictive and conservative enforcement of security policy. Repeatable and Documented Procedures: the techniques and methods employed to construct a system component should permit the same component to be completely and correctly reconstructed at a later time. Secure System Modification: system modification must maintain system security with respect to the security requirements and risk tolerance of stakeholders. Sufficient Documentation: personnel with responsibility to interact with the system should be provided with adequate documentation and other information such that they contribute to rather than detract from system security. Defense in Depth: security architectures are to be constructed through the application of multiple mechanisms to create a series of barriers to prevent, delay, or deter an attack by an adversary."
NIST SP 800-171 & CMMC 2.0 3.13.2 Scenario(s):
- Scenario 1:
A system administrator setup a complex IT environment at a remote office. You notice that he completed the project without creating any meaningful documentation. You remind him of your company's security engineering principles requiring the creation of documentation. In response, the system admin creates the documentation and stores it in a location accessible by those who need to reference it.
- Scenario 2:
An IT help desk technician needs to configure a laptop for a new employee who's first day of work is tomorrow. The technician rushes through and only installs Microsoft Office and creates the employee's user account. The technician then provides the laptop to the employee. The technician has violated your company's security engineering principle of "secure defaults". He did not apply the baseline configuration to the system containing your default security settings and anti-virus software.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.