Back

Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase.


CONTROL ID
06267
CONTROL TYPE
Systems Design, Build, and Implementation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Systems design, build, and implementation, CC ID: 00989

This Control has the following implementation support Control(s):
  • Develop systems in accordance with the system design specifications and system design standards., CC ID: 01094
  • Develop new products based on secure coding techniques., CC ID: 11733
  • Establish and maintain the overall system development project management roles and responsibilities., CC ID: 00991
  • Perform Quality Management on all newly developed or modified systems., CC ID: 01100
  • Perform Quality Management on all newly developed or modified software., CC ID: 11798
  • Develop the system in a timely manner and cost-effective way., CC ID: 06908
  • Establish, implement, and maintain sandboxes., CC ID: 14946
  • Develop Natural Language Processing tools, as necessary., CC ID: 14063


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization shall initiate the project plan to meet the set objectives and criteria and to manage the project. (§ 6.3.1.3(d)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Is application development performed? (§ G.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is application development performed? (§ H.3, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Is application development performed? (§ I.2, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Is there a formal software development life cycle process? (§ I.2.7, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • During the development phase, the system security plan is updated to ensure only implemented security controls are descried in the document and it should include information from other required documents, such as the risk assessment, configuration management plan, rules of behavior, interconnection … (§ 2.6, System Security Plan (SSP) Procedure, Version 1.1 Final)
  • Reimplement or custom develop the following critical system components: [Assignment: organization-defined critical system components]. (SA-20 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Reimplement or custom develop the following critical system components: [Assignment: organization-defined critical system components]. (SA-20 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization re-implements or custom develops {organizationally documented critical information system components}. (SA-20 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization re-implements or custom develops [Assignment: organization-defined critical information system components]. (SA-20 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: (SA-4(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Reimplement or custom develop the following critical system components: [Assignment: organization-defined critical system components]. (SA-20 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: (SA-4(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Reimplement or custom develop the following critical system components: [Assignment: organization-defined critical system components]. (SA-20 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization re-implements or custom develops [Assignment: organization-defined critical information system components]. (SA-20 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)