NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-17(6)Structure for Testing

Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate testing.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Applying the security design principles in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) promotes complete, consistent, and comprehensive testing and evaluation of systems, system components, and services. The thoroughness of such testing contributes to the evidence produced to generate an effective assurance case or argument as to the trustworthiness of the system, system component, or service.

Practitioner Notes

Design the system in a way that facilitates thorough security testing. If a system's architecture makes testing difficult, important security properties will go unverified.

Example 1: Design applications with testability in mind: separate security logic from business logic so security functions can be unit-tested independently, expose health check and diagnostic endpoints (protected by authentication), and support running in a test mode that allows security testing without affecting production data.

Example 2: Provide test harnesses and mock services that allow security testers to exercise security functions in isolation. For example, provide a test authentication service that returns configurable responses so testers can verify how the application handles various authentication failures.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment