Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: (H) as needed and as dictated by the current threat posture] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: (H) organization and service provider- defined security requirements].
NIST 800-53 (r4) Supplemental Guidance:
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8.
NIST 800-53 (r5) Discussion:
Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.
38North Guidance:
Meets Minimum Requirement:
Develop and document a development process for the organization that includes addressing security requirements and functionalities, detailed description of tools used and their purpose, function and configurations,
Review the development process, standards, and tools on an annual basis or as needed based on changes to the organization and the current IT operating environment and threat landscape.
Best Practice:
Live customer data shall not be used in production environments.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
Document describing the development process that includes the various environments utilized by the developers/engineers, development configuration management process(es) and procedures (refer to SA-10), development standards that must be followed for tools and techniques to use, standards and criteria used by developers throughout the development lifecycle, etc.
Security review throughout development processes that depict the acquisition of the product (review/approval), system design documents demonstrating redundancy and high availability, peer-review/secure code review results, meeting minutes from daily scrums that depict approval from management, collaboration amongst teams to demonstrate a well-organized and integrated process, performance metrics and ability to perform customer workloads, etc.
CSP Implementation Tips:
None.
Page updated
Report abuse