NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-17(4) — Informal Correspondence

Require the developer of the system, system component, or system service to: Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects; Show via {{ insert: param, sa-17.04_odp }} that the descriptive top-level specification is consistent with the formal policy model; Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that additional code or implementation detail has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal and informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include mapping registers and direct memory input and output.

Practitioner Notes

Even without formal mathematical proofs, provide clear informal arguments that demonstrate the design implements the security policy. This is appropriate for systems that do not require the highest assurance levels.

Example 1: Create a security design rationale document that explains, in plain technical language, how each security requirement is addressed by the design. 'To prevent unauthorized access, the system uses role-based access control implemented through Azure AD groups, with permissions checked at every API endpoint.'

Example 2: During design reviews, walk through each security requirement and demonstrate informally (with diagrams, data flow analysis, and code walkthrough) that the implementation addresses it. Document the review findings and any gaps identified for remediation.