Define the security and privacy requirements for the system and the environment of operation.
Potential Inputs: System design documentation; organization- and system-level risk assessment results; known set of stakeholder assets to be protected; missions, business functions, and mission/business processes the system will support; business impact analyses or criticality analyses; system stakeholder information; data map of the information life cycle for PII; Cybersecurity Framework Profiles; information about other systems that interact with the system; supply chain information; threat information; laws, executive orders, directives, regulations, or policies that apply to the system; risk management strategy.
Expected Outputs: Documented security and privacy requirements.
Primary Responsibility: Mission or Business Owner; System Owner; Information Owner or Steward; System Privacy Officer.69
Supporting Roles: Authorizing Official or Authorizing Official Designated Representative; System Security Officer; Senior Agency Information Security Officer; Senior Agency Official for Privacy; Chief Acquisition Officer; Security Architect; Privacy Architect; Enterprise Architect.
System Development Life Cycle Phase: New – Initiation (concept/requirements definition). Existing – Operations/Maintenance.
Discussion: Protection needs are an expression of the protection capability required for the system in order to reduce security and privacy risk to an acceptable level while supporting mission or business needs. Protection needs include the security characteristics70 of the system and the security behavior of the system in its intended operational environment and across all system life cycle phases. The protection needs reflect the priorities of stakeholders, results of negotiations among stakeholders in response to conflicts, opposing priorities, contradictions, and stated objectives, and thus, are inherently subjective. The protection needs are documented to help ensure that the reasoning, assumptions, and constraints associated with those needs are available for future reference and to provide traceability to the security and privacy requirements. Security and privacy requirements71 constitute a formal, more granular expression of protection needs across all SDLC phases, the associated life cycle processes, and protections for the assets associated with the system. Security and privacy requirements are obtained from many sources (e.g., laws, executive orders, directives, regulations, policies, standards, mission and business needs, or risk assessments). Security and privacy requirements are an important part of the formal expression of the required characteristics of the system.72 The security and privacy requirements guide and inform the selection of controls for a system and the tailoring activities associated with those controls.
Organizations can use the Cybersecurity Framework to manage security and privacy requirements and express those requirements in Cybersecurity Framework Profiles defined for the organization. For instance, multiple requirements can be aligned and even deconflicted using the Function-Category- Subcategory structure of the Framework Core. The Profiles can then be used to inform the development of organizationally-tailored control baselines described in the RMF Prepare-Organization Level step, Task P-4.
References: [SP 800-39] (Organization Level); [SP 800-64]; [SP 800-160 v1] (Stakeholder Needs and Requirements Definition Process); [SP 800-161] (Multi-Tiered Risk Management); [IR 8179]; [NIST CSF] (Core [Protect, Detect, Respond, Recover Functions]; Profiles).
69 The system privacy officer is a primary role only when the information system processes PII.
70 For example, a fundamental security characteristic is that the system exhibits only specified behaviors, interactions, and outcomes.
71 The term requirements can have discrete meanings. For example, legal and policy requirements impose obligations to which organizations must adhere. Security and privacy requirements, however, are derived from the protection needs for the system and those protection needs can derive from legal or policy requirements, mission or business needs, risk assessments, or other sources.
72 Security and privacy requirements can also include assurance requirements. Assurance is having confidence about the ability of the system to remain trustworthy with respect to security and privacy across all forms of adversity resulting from malicious or non-malicious intent.