SA-3: System Development Life Cycle

CSF v1.1 References:

CSF v2.0 References:

PF v1.0 References:

Baselines:

  • Low
    • SA-3
  • Moderate
    • SA-3
  • High
    • SA-3
  • Privacy
    • SA-3

Previous Version:

Control Statement

  1. Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations;
  2. Define and document information security and privacy roles and responsibilities throughout the system development life cycle;
  3. Identify individuals having information security and privacy roles and responsibilities; and
  4. Integrate the organizational information security and privacy risk management process into system development life cycle activities.

Supplemental Guidance

A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.

The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle.

Control Enhancements

SA-3(1): Manage Preproduction Environment

Baseline(s):

(Not part of any baseline)

Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service.

SA-3(2): Use of Live or Operational Data

Baseline(s):

(Not part of any baseline)

Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and Protect preproduction environments for the system, system component, or system service at the same impact or classification level as any live data in use within the preproduction environments.

SA-3(3): Technology Refresh

Baseline(s):

(Not part of any baseline)

Plan for and implement a technology refresh schedule for the system throughout the system development life cycle.