Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities.
NIST 800-53 (r4) Supplemental Guidance:
A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8.
NIST 800-53 (r5) Discussion:
A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.
The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle.
38North Guidance:
Meets Minimum Requirement:
Define and document a system development lifecycle (SDLC) for the organization. The SDLC must include concepts and activities that provide a managed approach to designing, developing, implementing and maintaining an information system throughout the course of its lifecycle for the organization.
Define and document security activities throughout the SDLC to ensure risk management practices are incorporated. The SDLC includes activities that delegate between each environment (e.g., Development, Testing, Stage/Deployment, Production).
Define and identify security roles and responsibilities throughout the SDLC (e.g., security approvals for reviewing IT products/goods/services).
Best Practice:
Clearly define specific roles that have approval authority, especially for stages that are close to push-to-prod. Back this up with technical controls that enforce access and authorities.
Multiple defined lifecycles can assist with compliance. Specifically, defining one for development and another for operations and maintenance can help draw a firm line between dev and prod processes.
FedRAMP has a bias in favor of automated gates for lifecycle stages. See below.
Unofficial FedRAMP Guidance:
Incorporate scanning in an automated fashion at the appropriate lifecycle stage.
Document the use of automated orchestration tools at the appropriate lifecycle stage.
Assessment Evidence:
Process documentation related to the organizations SDLC which includes secure code development and reviews, security requirements and impact analysis, signing code artifacts, software testing, acceptance criteria and defined development standards, etc..
System documentation that describes the development process from SDLC stages such as development, testing/staging, deployment and production environment (which includes a description of standard security activities throughout the lifecycle activities).
Security roles defined for the SDLC process, along with separation among roles (per AC-5) for each phase – development, testing, deployment, and production.
Security review approvals, performed annually or whenever there's a significant change to the service (such as change requests/tickets, security impact analysis)
Per customer contractual obligations (if any), records showing application useful life defined with start and end dates, milestones, disposition rules, documented deviations from the established milestones.
CSP Implementation Tips:
None.
Page updated
Report abuse