Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase.
CONTROL ID 06267
CONTROL TYPE Systems Design, Build, and Implementation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Systems design, build, and implementation, CC ID: 00989
This Control has the following implementation support Control(s):
Develop systems in accordance with the system design specifications and system design standards., CC ID: 01094
Develop new products based on secure coding techniques., CC ID: 11733
Establish and maintain the overall system development project management roles and responsibilities., CC ID: 00991
Perform Quality Management on all newly developed or modified systems., CC ID: 01100
Perform Quality Management on all newly developed or modified software., CC ID: 11798
Develop the system in a timely manner and cost-effective way., CC ID: 06908
Establish, implement, and maintain sandboxes., CC ID: 14946
Develop Natural Language Processing tools, as necessary., CC ID: 14063
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The organization shall initiate the project plan to meet the set objectives and criteria and to manage the project. (§ 6.3.1.3(d)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
Is application development performed? (§ G.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
Is application development performed? (§ H.3, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
Is application development performed? (§ I.2, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
Is there a formal software development life cycle process? (§ I.2.7, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
During the development phase, the system security plan is updated to ensure only implemented security controls are descried in the document and it should include information from other required documents, such as the risk assessment, configuration management plan, rules of behavior, interconnection … (§ 2.6, System Security Plan (SSP) Procedure, Version 1.1 Final)
Reimplement or custom develop the following critical system components: [Assignment: organization-defined critical system components]. (SA-20 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Reimplement or custom develop the following critical system components: [Assignment: organization-defined critical system components]. (SA-20 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
The organization re-implements or custom develops {organizationally documented critical information system components}. (SA-20 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization re-implements or custom develops [Assignment: organization-defined critical information system components]. (SA-20 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: (SA-4(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Reimplement or custom develop the following critical system components: [Assignment: organization-defined critical system components]. (SA-20 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: (SA-4(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Reimplement or custom develop the following critical system components: [Assignment: organization-defined critical system components]. (SA-20 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
The organization re-implements or custom develops [Assignment: organization-defined critical information system components]. (SA-20 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)