SA-5(4) — Low-level Design

Low-level design documentation provides detailed technical descriptions of how individual security mechanisms are implemented — enough detail for a developer or security tester to understand exactly how they work.

Example 1: The low-level design document should describe how specific security functions are implemented: the exact encryption algorithm and key length, the password hashing function and salt handling, the session management approach (token format, expiration, revocation), and the audit log record format.

Example 2: For custom-developed applications, maintain design specifications for each security module: authentication service, authorization engine, encryption library, logging framework. These specifications should be detailed enough that a security auditor can verify the implementation matches the design.