NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-17(2)Security-relevant Components

Require the developer of the system, system component, or system service to: Define security-relevant hardware, software, and firmware; and Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The security-relevant hardware, software, and firmware represent the portion of the system, component, or service that is trusted to perform correctly to maintain required security properties.

Practitioner Notes

Identify and isolate the security-relevant components of a system so they can be analyzed, tested, and protected more rigorously than the rest of the system.

Example 1: In your system architecture, clearly identify which components are security-relevant: authentication modules, access control engines, encryption services, audit logging, and key management. These components should be documented separately and receive more rigorous code review and testing.

Example 2: Isolate security-relevant code into separate modules or microservices so they can be independently updated, tested, and audited. A change to the authentication service should not require retesting the entire application, and a vulnerability in a business logic module should not directly compromise the authentication service.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment