compliance controls are associated with this Policy definition 'Obtain design and implementation information for the security controls' (22a02c9a-49e4-5dc9-0d14-eb35ad717154)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SA-4(2) |
FedRAMP_High_R4_SA-4(2) |
FedRAMP High SA-4 (2) |
System And Services Acquisition |
Design / Implementation Information For Security Controls |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail].
Supplemental Guidance: Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system. Related control: SA-5. |
link |
1 |
| FedRAMP_Moderate_R4 |
SA-4(2) |
FedRAMP_Moderate_R4_SA-4(2) |
FedRAMP Moderate SA-4 (2) |
System And Services Acquisition |
Design / Implementation Information For Security Controls |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail].
Supplemental Guidance: Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system. Related control: SA-5. |
link |
1 |
| hipaa |
17101.10a3Organizational.6-10.a |
hipaa-17101.10a3Organizational.6-10.a |
17101.10a3Organizational.6-10.a |
17 Risk Management |
17101.10a3Organizational.6-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to provide specific control design and implementation information. |
|
7 |
| NIST_SP_800-53_R4 |
SA-4(2) |
NIST_SP_800-53_R4_SA-4(2) |
NIST SP 800-53 Rev. 4 SA-4 (2) |
System And Services Acquisition |
Design / Implementation Information For Security Controls |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail].
Supplemental Guidance: Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system. Related control: SA-5. |
link |
1 |
| NIST_SP_800-53_R5 |
SA-4(2) |
NIST_SP_800-53_R5_SA-4(2) |
NIST SP 800-53 Rev. 5 SA-4 (2) |
System and Services Acquisition |
Design and Implementation Information for Controls |
Shared |
n/a |
Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: [Selection (OneOrMore): security-relevant external system interfaces;high-level design;low-level design;source code or hardware schematics; [Assignment: organization-defined design and implementation information] ] at [Assignment: organization-defined level of detail]. |
link |
1 |
| PCI_DSS_v4.0 |
12.8.2 |
PCI_DSS_v4.0_12.8.2 |
PCI DSS v4.0 12.8.2 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risk to information assets associated with third-party service provider (TPSP) relationships is managed |
Shared |
n/a |
Written agreements with TPSPs are maintained as follows:
• Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE.
• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE. |
link |
15 |
| PCI_DSS_v4.0 |
12.8.5 |
PCI_DSS_v4.0_12.8.5 |
PCI DSS v4.0 12.8.5 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risk to information assets associated with third-party service provider (TPSP) relationships is managed |
Shared |
n/a |
Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity. |
link |
13 |