SA-5(3) — High-level Design

High-level design documentation describes the system's overall security architecture in terms of major components, their relationships, and how security is implemented across them.

Example 1: Require a high-level design document that shows the system's security architecture: where encryption is applied, where access control is enforced, where audit logging occurs, and how components are segmented. This document should be understandable by a security reviewer who is not a developer.

Example 2: Use architecture diagrams (draw.io, Visio, Lucidchart) to document the security boundary, trust zones, and data flows. Label each zone with its security level and the controls that protect the boundary between zones. Store these diagrams alongside the system security plan.