| name | SA-8(31)_secure-system-modification |
| description | Implement the security design principle of secure system modification in [organization-defined]. |
| category | configuration |
| version | 5.2.0 |
| author | cyberstrike-official |
| tags | ["nist","sp800-53","rev5","sa-8-31","sa","enhancement"] |
| tech_stack | ["any"] |
| cwe_ids | ["CWE-16"] |
| chains_with | ["CM-3","CM-4"] |
| prerequisites | ["SA-8"] |
| severity_boost | {"CM-3":"Chain with CM-3 for comprehensive security coverage","CM-4":"Chain with CM-4 for comprehensive security coverage"} |
SA-8(31) Secure System Modification
Enhancement of: SA-8
High-Level Description
Family: System and Services Acquisition (SA)
Framework: NIST SP 800-53 Rev 5
The principle of secure system modification states that system modification maintains system security with respect to the security requirements and risk tolerance of stakeholders. Upgrades or modifications to systems can transform secure systems into systems that are not secure. The procedures for system modification ensure that if the system is to maintain its trustworthiness, the same rigor that was applied to its initial development is applied to any system changes. Because modifications can affect the ability of the system to maintain its secure state, a careful security analysis of the modification is needed prior to its implementation and deployment. This principle parallels the principle of secure evolvability.
What to Check
How to Test
Step 1: Review Documentation
Examine the System Security Plan (SSP) and related artifacts for SA-8(31) implementation details. Verify the organization has documented how this control is satisfied.
Step 2: Validate Implementation
# For cloud environments, use cloud-audit-mcp tools
# For on-premises, review system configurations directly
# Example: Check if account management policies exist
grep -r "account.management\|access.control" /etc/security/ 2>/dev/null
Step 3: Test Operating Effectiveness
Verify the control is actively functioning, not just documented. Check logs, configurations, and operational evidence.
Tools
| Tool | Purpose | Usage |
|---|
| Manual Review | Documentation and interview-based | N/A |
Remediation Guide
Control Statement
Implement the security design principle of secure system modification in [organization-defined].
Implementation Guidance
The principle of secure system modification states that system modification maintains system security with respect to the security requirements and risk tolerance of stakeholders. Upgrades or modifications to systems can transform secure systems into systems that are not secure. The procedures for system modification ensure that if the system is to maintain its trustworthiness, the same rigor that was applied to its initial development is applied to any system changes. Because modifications can affect the ability of the system to maintain its secure state, a careful security analysis of the modification is needed prior to its implementation and deployment. This principle parallels the principle of secure evolvability.
Risk Assessment
| Finding | Severity | Impact |
|---|
| SA-8(31) Secure System Modification not implemented | Medium | System and Services Acquisition |
| SA-8(31) partially implemented | Low | Incomplete System and Services Acquisition |
CWE Categories
| CWE ID | Title |
|---|
| CWE-16 | Configuration |
References
Checklist
