NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-24 — Design For Cyber Resiliency
Design organizational systems, system components, or system services to achieve cyber resiliency by: Defining the following cyber resiliency goals: {{ insert: param, sa-24_odp.01 }}. Defining the following cyber resiliency objectives: {{ insert: param, sa-24_odp.02 }}. Defining the following cyber resiliency techniques: {{ insert: param, sa-24_odp.03 }}. Defining the following cyber resiliency implementation approaches: {{ insert: param, sa-24_odp.04 }}. Defining the following cyber resiliency design principles: {{ insert: param, sa-24_odp.05 }}. Implement the selected cyber resiliency goals, objectives, techniques, implementation approaches, and design principles as part of an organizational risk management process or systems security engineering process.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
- CA-7
- CP-10
- CP-11
- CP-12
- CP-13
- CP-2
- CP-4
- CP-9
- IA-10
- IR-4
- IR-5
- PE-11
- PE-17
- PL-8
- PM-16
- PM-30
- PM-31
- PM-7
- RA-10
- RA-3
- RA-5
- RA-9
- SA-17
- SA-3
- SA-8
- SA-9
- SC-10
- SC-11
- SC-29
- SC-3
- SC-30
- SC-34
- SC-35
- SC-36
- SC-37
- SC-39
- SC-44
- SC-47
- SC-48
- SC-49
- SC-5
- SC-50
- SC-51
- SC-7
- SI-10
- SI-14
- SI-15
- SI-16
- SI-19
- SI-20
- SI-21
- SI-22
- SI-23
- SI-3
- SI-4
- SI-6
- SI-7
- SR-10
- SR-11
- SR-3
- SR-4
- SR-5
- SR-6
- SR-7
- SR-9
Supplemental Guidance
Cyber resiliency is critical to ensuring the survivability of mission critical systems and high value assets. Cyber resiliency focuses on limiting the damage from adversity or the conditions that can cause a loss of assets. Damage can affect: (1) organizations (e.g., loss of reputation, increased existential risk); (2) missions or business functions (e.g., decreased capability to complete current missions and to accomplish future missions); (3) security (e.g., decreased capability to achieve security objectives or to prevent, detect, and respond to cyber incidents); (4) systems (e.g., unauthorized use of system resources or decreased capability to meet system requirements); or (5) specific system elements (e.g., physical destruction; corruption, modification, or fabrication of information). Cyber resiliency goals are intended to help organizations maintain a state of informed preparedness for adversity, continue essential mission or business functions despite adversity, restore mission or business functions during and after adversity, and modify mission or business functions and their supporting capabilities in response to predicted changes in technical, operational, or threat environments. NIST SP 800-160, Volume 2 provides additional information on the Cyber Resiliency Engineering Framework to include detailed descriptions of cyber resiliency goals, objectives, techniques, implementation approaches, and design principles. NIST SP 800-160, Vol 1 provides additional information on achieving cyber resiliency as an emergent property of an engineered system.
Practitioner Notes
Design systems with cyber resiliency in mind — the ability to anticipate, withstand, recover from, and adapt to attacks. Resiliency assumes that some attacks will succeed and focuses on continuing operations despite compromise.
Example 1: Design your architecture with redundancy and graceful degradation. If your primary authentication server is compromised, can users still authenticate through a backup? If your database is encrypted by ransomware, how quickly can you restore from backups? Design for these failure scenarios, not just for normal operations.
Example 2: Implement MITRE's Cyber Resiliency Engineering Framework: apply techniques like diversity (use different products for redundant functions), segmentation (limit blast radius of a compromise), and dynamic positioning (move critical assets to avoid persistent targeting). Test resiliency through regular tabletop exercises and red team engagements.