NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-8(16) — Self-reliant Trustworthiness
Implement the security design principle of self-reliant trustworthiness in {{ insert: param, sa-08.16_odp }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
The principle of self-reliant trustworthiness states that systems minimize their reliance on other systems for their own trustworthiness. A system is trustworthy by default, and any connection to an external entity is used to supplement its function. If a system were required to maintain a connection with another external entity in order to maintain its trustworthiness, then that system would be vulnerable to malicious and non-malicious threats that could result in the loss or degradation of that connection. The benefit of the principle of self-reliant trustworthiness is that the isolation of a system will make it less vulnerable to attack. A corollary to this principle relates to the ability of the system (or system component) to operate in isolation and then resynchronize with other components when it is rejoined with them.
Practitioner Notes
Self-reliant trustworthiness means that a system should not depend on external entities for its fundamental security properties. If the network goes down, the system should still protect its data.
Example 1: Configure endpoints to enforce security policies locally, even when disconnected from the network. BitLocker should encrypt the disk whether or not the device can reach the domain controller. Windows Defender should continue scanning with cached definitions when offline.
Example 2: Design applications so that security checks run locally rather than requiring a round-trip to a central server for every decision. Cache authorization tokens with appropriate expiration times so the application can continue making access decisions during brief network outages.