Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation.
NIST 800-53 (r4) Supplemental Guidance:
Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11.
NIST 800-53 (r5) Discussion:
A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.
The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle.
38North Guidance:
Meets Minimum Requirement:
Determine and document the security requirements as part of the organization's overall financial planning (e.g., budgeting).
Establish mechanisms to review and update security requirements as required ensuring that budgetary restraints are considered.
Allocate the required resources throughout the development and implementation of security controls to ensure proper security and risk management of the information system (e.g., consider the security training required for acquiring/providing IT services/products, determine if additional resources are required for development/implementation of a new/existing IT services/products, analyze the cost required to maintain the IT services/products for resources and costs, etc.).
Best Practice:
Identify security stakeholders that have review and potentially approval authority at various stages in the planning cycle.
Update security policy to reflect gates where identified stakeholders have review and approval authority.
Follow a defined financial planning process (or CPIC process).
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
Provide project management and / or control documentation that demonstrates integration of security requirements and funding into the planning process.
Provide meetings minutes that include a date, time, stakeholders, and discussion topics with actions assigned/completed for discussing and planning security requirements.
Provide financial planning documents detailing the financial allocations for IT service and product considerations and requirements including security tools, services, designated security personnel, training, assessments, etc. the documents should include the associated cost(s) for information security requirements/needs (the artifact should show a discrete line item for security costs or security activities acquired).
CSP Implementation Tips:
None.
Page updated
Report abuse