STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

SA-17

System and Services AcquisitionRev 5organization

Developer Security and Privacy Architecture and Design

Baselines:High

Control Statement

Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:

Supplemental Guidance

Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, [PL-8](#pl-8) is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and [PL-8](#pl-8) is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. [ISO 15408-2](#87087451-2af5-43d4-88c1-d66ad850f614), [ISO 15408-3](#4452efc0-e79e-47b8-aa30-b54f3ef61c2f) , and [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing.

Related Controls (7)

PL-2PL-8PM-7SA-3SA-4SA-8SC-7

CCI Identifiers (10)

CCI-003294Require the developer of the system, system component, or system service to produce a design specification and security architecture that is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture.CCI-003295Require the developer of the system, system component, or system service to produce a design specification and security architecture that accurately and completely describes the required security functionality.CCI-003296Require the developer of the system, system component, or system service to produce a design specification and security architecture that accurately and completely describes the allocation of security controls among physical and logical components.CCI-003297Require the developer of the system, system component, or system service to produce a design specification and security architecture that expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.CCI-003293Require the developer of the system, system component, or system service to produce a design specification and security architecture.CCI-004840Require the developer of the system, system component, or system service to produce a privacy architecture that accurately and completely describes the allocation of privacy controls among physical and logical components.

Linked STIG Checks (0)

No STIG checks reference this control.

CCI-004841Require the developer of the system, system component, or system service to produce a privacy architecture that expresses how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.
CCI-004838Require the developer of the system, system component, or system service to produce a privacy architecture that is consistent with and supportive of the organization's privacy architecture which is established within and is an integrated part of the organization's enterprise architecture.
CCI-004837Require the developer of the system, system component, or system service to produce a privacy architecture.
CCI-004839Require the developer of the system, system component, or system service to produce a privacy architecture that accurately and completely describes the required privacy functionality.