SA-03-727 System Development Life Cycle

System Development Life Cycle

Control ID

SA-03-727

Control Name

System Development Life Cycle

Control Category

Security Assessment and Authorization

Functional Areas

Protect

Sub-Areas

Secure System Services, Acquisition and Development

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

May 20, 2016

Agency Implementation

Information resource owners shall include information security, security testing, and audit controls in all phases of the system development lifecycle or acquisition process. Where systems are designed for multi-tenancy, test environments may reside in a separate tenant from production environments or in a physically or logically separate environment. In systems that are not designed for multi-tenancy, test environments must reside physically or logicailly separate from production environments. Copies of production data are not used for testing unless the data has been authorized for public release or unless all custodians involved in testing are otherwise authorized access to the data.

Risk Statement

Developed and implemented systems do not consider the Design phase of the systems development lifecycle.

Control Description

The organization: a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations; b. Defines and documents information security roles and responsibilities throughout the system development life cycle; c. Identifies individuals having information security roles and responsibilities; and d. Integrates the organizational information security risk management process into system development life cycle activities.

Control Example

a. The existing system development lifecycle includes consideration for information security. b. Test environments are kept either physically or logically separate from production environments. c. Copies of production data are not used for testing unless the data has been authorized for public release or unless all custodians involved in testing are otherwise authorized access to the data.

State Implementation

Information security, security testing, and audit controls shall be included in all phases of the system development lifecycle or acquisition process.

Testing Procedures

Obtain system and services acquisition policy; procedures addressing the integration of information security into the system development life cycle process; NIST Special Publication 800-64; information system development life cycle documentation; other relevant documents or records and ascertain if : (I)the organization manages the information system using a system development life cycle methodology that includes information security considerations. (ii)the organization uses a system development life cycle that is consistent with NIST Special Publication 800-64.