NIST SP 800-171 Rev 2 requirement 3.13.2 directs organizations to employ architectural designs, software development techniques, and systems engineering principles that promote effective information security. This means security must be a deliberate, documented engineering discipline embedded into how systems are designed, built, and maintained — not bolted on as an afterthought. Organizations must first identify which specific designs, techniques, and principles apply to their environment, and then demonstrate that these are actively employed across their system and communications infrastructure. Applicable architectural concepts include segmentation, least-privilege network design, defense-in-depth layering, and zero-trust-aligned trust boundaries. Applicable software development techniques include secure coding standards, threat modeling, and static/dynamic analysis, while systems engineering principles include security requirements elicitation, design verification, and residual risk acceptance documentation.
Where it stops · what it isn't
- —Does not mandate adoption of any specific architectural framework such as SABSA, TOGAF, or Zero Trust — organizations choose appropriate designs for their context
- —Does not govern physical security design or facility layout, which falls under Physical Protection (PE) domain requirements
- —Does not replace or substitute for configuration management controls under CM-L2-3.4.x — this practice governs design intent, not runtime configuration baselines
- —Does not require formal software development lifecycle (SDLC) certification or third-party validation of design practices
- —Does not address cryptographic algorithm selection or key management, which are addressed in SC-L2-3.13.8 and SC-L2-3.13.10
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/system-and-communications-protection