NIST 800-53 REV 5 • PLANNING
PL-8(1) — Defense in Depth
Design the security and privacy architectures for the system using a defense-in-depth approach that: Allocates {{ insert: param, pl-08.01_odp.01 }} to {{ insert: param, pl-08.01_odp.02 }} ; and Ensures that the allocated controls operate in a coordinated and mutually reinforcing manner.
Supplemental Guidance
Organizations strategically allocate security and privacy controls in the security and privacy architectures so that adversaries must overcome multiple controls to achieve their objective. Requiring adversaries to defeat multiple controls makes it more difficult to attack information resources by increasing the work factor of the adversary; it also increases the likelihood of detection. The coordination of allocated controls is essential to ensure that an attack that involves one control does not create adverse, unintended consequences by interfering with other controls. Unintended consequences can include system lockout and cascading alarms. The placement of controls in systems and organizations is an important activity that requires thoughtful analysis. The value of organizational assets is an important consideration in providing additional layering. Defense-in-depth architectural approaches include modularity and layering (see [SA-8(3)](#sa-8.3) ), separation of system and user functionality (see [SC-2](#sc-2) ), and security function isolation (see [SC-3](#sc-3)).
Practitioner Notes
Defense in depth means layering multiple security controls so that if one fails, others still protect your systems. Your security architecture should be deliberately designed with overlapping protections.
Example 1: Map your controls to defense layers: perimeter firewall blocks known bad traffic, IDS monitors for suspicious patterns that get through, endpoint protection catches malware on the host, application controls limit what programs can run, and data encryption protects information even if all other layers fail. Document this layered approach in your security architecture.
Example 2: Ensure no single point of failure exists in your security architecture. For example, do not rely solely on your firewall for access control — also implement network segmentation, host-based firewalls (Windows Firewall configured via GPO), and Conditional Access policies. If the firewall is bypassed, these layers still provide protection.