Don't bolt security on at the end — design, build, and configure systems with security as a first-class requirement.
What it actually means
This control asks you to use sound architecture and engineering practices so security is part of how systems are designed and built, not an afterthought. For a small contractor that usually means a documented network and data-flow architecture, secure baseline configurations, a deliberate boundary around CUI, and following vendor security best-practice guidance when you stand systems up. You don't need a formal software development lifecycle — you need evidence that your security decisions are intentional and written down.
Pass or fail — an assessor needs a "yes" to each
- Do you have a documented architecture (network diagram plus data flow) that shows where CUI lives and how it's protected?
- Do new systems get built from a secure baseline rather than default settings?
- Are security requirements considered when you add or change systems, with the reasoning recorded?
What to have ready
- Network and data-flow diagrams showing the CUI boundary
- Documented secure baseline / hardening standards
- SSP section describing your security architecture and engineering approach
Where teams trip up
- Treating this as 'we have a firewall' instead of a documented, intentional architecture
- No data-flow diagram, so no one can show where CUI actually goes
- Standing up new systems on defaults and retrofitting security later
This is a 5-point control and is generally not POA&M-eligible — but the bar is 'deliberate and documented,' not 'enterprise-grade.' A clear architecture diagram and baseline standard go a long way.
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →