Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SC.L2-3.13.2 – Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
Understanding the Requirement
This control requires an organization to identify and use security-focused architecture choices, secure software development practices, and systems engineering principles so that systems are designed and built with security in mind. In practice (per the NIST SP 800-171 REV.2 / CMMC 2.0 framework), you select a set of security engineering principles—such as least privilege, reduced complexity, secure defaults, defense in depth, accountability/traceability—and document and enforce them across architecture, development, and engineering activities so staff know what to follow and managers can measure compliance.
Technical Implementation
-
Create a concise Security Engineering Policy: select 4–8 principles from NIST SP 800-160 (for example: Reduced Complexity, Least Privilege, Secure Defaults, Defense in Depth, Accountability/Traceability, Secure System Modification). Publish the policy, assign an owner (information security lead), and require sign-off from IT and business system owners. Make the policy the baseline for design, procurement, and development decisions.
-
Build and enforce secure architectural patterns: standardize on a small set of approved patterns for common services (e.g., web app DMZ + app tier + database tier, segmented management network, VPN or Zero Trust access). Implement network segmentation (VLANs, firewalls), use TLS for all transit, and apply trusted communication channels (mTLS or VPN) for admin and inter-service traffic. Document each pattern with diagrams and a short rationale tied to selected principles.
-
Integrate secure software development practices into your SDLC: adopt code reviews, static application security testing (SAST) in the CI pipeline, dependency scanning (SCA), and automated unit/integration tests. Define gating rules (e.g., no merge without a passing SAST scan and one peer review). Train developers on secure coding basics and keep a shortlist of top 10 secure-coding checks that map back to your chosen principles (e.g., input validation for least privilege and reduced attack surface).
-
Establish systems engineering controls for traceability and repeatability: maintain baselined build images and configuration management (infrastructure-as-code or golden images). Use change control (tickets and approvals) and require a documented rollback plan for every production change. Enable logging that ties security-relevant actions to named users (accountability/traceability) and retain logs for a defined period to support investigations.
-
Operationalize secure defaults and least privilege for endpoints and services: create and deploy baseline configurations (hardening guides) for laptops, servers, and cloud instances; enforce with MDM, group policy, or centralized configuration tools (Ansible, Chef). Implement role-based access control and periodic access reviews (quarterly) to remove unnecessary privileges.
-
Measure and iterate: define simple success criteria (documentation exists, baselines applied to X% of assets, code scan coverage, quarterly privilege reviews completed). Assign responsibilities to employees with information security responsibilities and system/network administrators for implementation and evidence collection, and report progress to leadership monthly until mature.
Example in a Small or Medium Business
Acme Engineering (50 employees) adopted a short Security Engineering Policy selecting six principles from NIST SP 800-160: secure defaults, least privilege, reduced complexity, defense in depth, traceability, and repeatable procedures. The CTO and security lead documented three approved architectural patterns for SaaS-hosted apps and for on-prem management systems, including network segmentation and mandatory TLS. The development team added SAST and dependency scanning to their Git-based CI pipeline and required at least one peer review plus a passing scan before merging. IT created golden images for employee laptops with baseline hardening and an MDM policy to enforce antivirus, disk encryption, and automatic patching. All production changes require a ticket, a rollback plan, and a logged approval; audit logs capture who made each change and why. Within three months Acme had baselines applied to 90% of assets, automated scans on every pull request, and a quarterly access review process that removed dormant privileges—reducing the number of high-risk exposures and making security responsibilities visible and auditable.
Summary
Selecting and documenting a small set of security engineering principles, then mapping those principles to architecture patterns, SDLC practices, and systems engineering controls gives SMBs a practical path to satisfy SC.L2-3.13.2. A short policy with assigned owners plus concrete technical measures—baseline images, segmented architectures, CI security gates, change control, and traceable logs—creates repeatable, auditable behavior that embeds security into design and operations rather than relying on ad hoc fixes.
