NIST 800-53 SA-8 Mappings

Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-03). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.

The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.

Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
SA-8 Security and Privacy Engineering Principles Protects T1078 Valid Accounts
SA-8 Security and Privacy Engineering Principles Protects T1078.001 Default Accounts
SA-8 Security and Privacy Engineering Principles Protects T1078.003 Local Accounts
SA-8 Security and Privacy Engineering Principles Protects T1078.004 Cloud Accounts
SA-8 Security and Privacy Engineering Principles Protects T1134.005 SID-History Injection
SA-8 Security and Privacy Engineering Principles Protects T1190 Exploit Public-Facing Application
SA-8 Security and Privacy Engineering Principles Protects T1482 Domain Trust Discovery
SA-8 Security and Privacy Engineering Principles Protects T1574.002 DLL Side-Loading