SA-4(3): Development Methods, Techniques, and Practices

CSF v1.1 References:


(Not part of any baseline)

Previous Version:

Control Statement

Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes:

  1. [Assignment: organization-defined systems engineering methods];
  2. <assign:#>organization-defined [Assignment (one or more): systems security, privacy<#:assign> engineering methods]; and
  3. [Assignment: organization-defined software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes].

Supplemental Guidance

Following a system development life cycle that includes state-of-the-practice software development methods, systems engineering methods, systems security and privacy engineering methods, and quality control processes helps to reduce the number and severity of latent errors within systems, system components, and system services. Reducing the number and severity of such errors reduces the number of vulnerabilities in those systems, components, and services. Transparency in the methods and techniques that developers select and implement for systems engineering, systems security and privacy engineering, software development, component and system assessments, and quality control processes provides an increased level of assurance in the trustworthiness of the system, system component, or system service being acquired.