>myctrl.tools
Preferences
Under active development Content is continuously updated and improved · Last updated Feb 18, 2026, 2:55 AM UTC
Compare

SA-8(21)Security and Privacy Engineering Principles | Self-analysis

IL5
IL6

>Control Description

Implement the security design principle of self-analysis in organization-defined systems or system components.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

The principle of self-analysis states that a system component is able to assess its internal state and functionality to a limited extent at various stages of execution, and that this self-analysis capability is commensurate with the level of trustworthiness invested in the system. At the system level, self-analysis can be achieved through hierarchical assessments of trustworthiness established in a bottom-up fashion. In this approach, the lower-level components check for data integrity and correct functionality (to a limited extent) of higher-level components.

For example, trusted boot sequences involve a trusted lower-level component that attests to the trustworthiness of the next higher-level components so that a transitive chain of trust can be established. At the root, a component attests to itself, which usually involves an axiomatic or environmentally enforced assumption about its integrity. Results of the self-analyses can be used to guard against externally induced errors, internal malfunction, or transient errors.

By following this principle, some simple malfunctions or errors can be detected without allowing the effects of the error or malfunction to propagate outside of the component. Further, the self-test can be used to attest to the configuration of the component, detecting any potential conflicts in configuration with respect to the expected configuration.

>Related Controls

CA-7

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What acquisition policies and procedures address the requirements of SA-8(21)?
  • How are security and privacy requirements integrated into the acquisition process?
  • Who is responsible for ensuring that acquisitions comply with SA-8(21)?

Technical Implementation:

  • How are security requirements defined and documented in acquisition contracts?
  • What mechanisms ensure that acquired systems and services meet security requirements?
  • How do you validate that vendors and service providers comply with specified security controls?

Evidence & Documentation:

  • Can you provide examples of acquisition documentation that includes security requirements?
  • What evidence demonstrates that acquired systems meet security specifications?
  • Where is acquisition security documentation maintained throughout the system lifecycle?

Ask AI

Configure your API key to use AI features.