STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 14 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

SA-17

System and Services AcquisitionRev 5organization

Developer Security and Privacy Architecture and Design

Baselines:High

Control Statement

Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:

Supplemental Guidance

Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, [PL-8](#pl-8) is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and [PL-8](#pl-8) is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. [ISO 15408-2](#87087451-2af5-43d4-88c1-d66ad850f614), [ISO 15408-3](#4452efc0-e79e-47b8-aa30-b54f3ef61c2f) , and [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing.

Related Controls (7)

PL-2PL-8PM-7SA-3SA-4SA-8SC-7

CCI Identifiers (10)

CCI-003293Require the developer of the system, system component, or system service to produce a design specification and security architecture.CCI-003294Require the developer of the system, system component, or system service to produce a design specification and security architecture that is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture.CCI-003295Require the developer of the system, system component, or system service to produce a design specification and security architecture that accurately and completely describes the required security functionality.CCI-003296Require the developer of the system, system component, or system service to produce a design specification and security architecture that accurately and completely describes the allocation of security controls among physical and logical components.CCI-003297Require the developer of the system, system component, or system service to produce a design specification and security architecture that expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.CCI-004838Require the developer of the system, system component, or system service to produce a privacy architecture that is consistent with and supportive of the organization's privacy architecture which is established within and is an integrated part of the organization's enterprise architecture.

Linked STIG Checks (0)

No STIG checks reference this control.

CCI-004839Require the developer of the system, system component, or system service to produce a privacy architecture that accurately and completely describes the required privacy functionality.
CCI-004840Require the developer of the system, system component, or system service to produce a privacy architecture that accurately and completely describes the allocation of privacy controls among physical and logical components.
CCI-004837Require the developer of the system, system component, or system service to produce a privacy architecture.
CCI-004841Require the developer of the system, system component, or system service to produce a privacy architecture that expresses how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.