SA-13 — Trustworthiness

This control (withdrawn and incorporated into SA-8) addresses the trustworthiness of information systems — the degree to which they can be trusted to operate correctly and protect information as intended.

Example 1: Evaluate the trustworthiness of your systems by considering the security engineering principles used in their design, the rigor of their development process, and the thoroughness of their testing. Systems built with more rigorous processes deserve higher trust.

Example 2: Document the assurance level required for each system based on its criticality and the sensitivity of data it processes. A high-assurance system might require formal verification of security properties, while a low-assurance system might only require standard development practices and testing.