NIST 800-171 • LEVEL 2 • SYSTEM AND COMMUNICATIONS PROTECTION

3.13.2Employ Architectural Designs, Software Development Techniques, and Systems Engineering Principles That Promote Effective Information Security

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

CMMC Practice Mapping

NIST 800-53 Controls

SA-8

Assessment Objectives

Assessment objectives not available for this requirement.

Practitioner Notes

This practice is about building security into your systems from the ground up, not bolting it on after the fact. Your network architecture, your applications, and your infrastructure should all be designed with security as a core principle.

Example 1: Implement a zero-trust network architecture by segmenting your network into VLANs with inter-VLAN routing controlled by ACLs on your managed switch or firewall. For example, put CUI systems on VLAN 10, general workstations on VLAN 20, and printers/IoT on VLAN 30 -- with firewall rules that prevent VLAN 20 and 30 from reaching VLAN 10 directly.

Example 2: In Azure or M365, use Conditional Access Policies in Entra ID to enforce security at the identity layer. Create a policy that requires MFA and a compliant device for any access to SharePoint sites containing CUI. This is security baked into the architecture, not an afterthought.

The assessor wants to see that security decisions were intentional and documented, not accidental.

Related NIST 800-171 Requirements

3.13.1 Boundary Protection 3.13.3 Separate User Functionality from System Management Functionality 3.13.4 Information in Shared System Resources 3.13.5 Implement Subnetworks for Publicly Accessible System Components That Are Physically or Logically Separated from Internal Networks