Back

Evaluate system development projects for compliance with the system requirements specifications.


CONTROL ID
06903
CONTROL TYPE
Systems Design, Build, and Implementation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Perform Quality Management on all newly developed or modified systems., CC ID: 01100

This Control has the following implementation support Control(s):
  • Evaluate each system development project to verify it remains feasible., CC ID: 06904
  • Cancel or suspend system development projects if the benefits do not outweigh the disadvantages., CC ID: 06905


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Planning and design controls would typically be in place to ensure that IT security is embodied in the overall IT architecture. Solutions implemented would normally comply with the IT security requirements of a regulated institution (as embodied in the IT security risk management framework), includi… (¶ 53, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The system development methodology should ensure that applications are developed to comply with contractual requirements (e.g., those relating to external parties such as customers, clients, and suppliers). (CF.17.01.03c, The Standard of Good Practice for Information Security)
  • The system development methodology should require that initiatives are driven by business requirements (i.e., they are not technology-led). (CF.17.01.04b, The Standard of Good Practice for Information Security)
  • The system development methodology should ensure that applications are developed to comply with contractual requirements (e.g., those relating to external parties such as customers, clients, and suppliers). (CF.17.01.03c, The Standard of Good Practice for Information Security, 2013)
  • The system development methodology should require that initiatives are driven by business requirements (i.e., they are not technology-led). (CF.17.01.04b, The Standard of Good Practice for Information Security, 2013)
  • The organization shall evaluate current projects to verify that they comply with the project directives. (§ 6.2.3.3(b)(1)(ii), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The new or changed services shall be tested to verify the service requirements and documented design are met. (§ 5.4 ¶ 1, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. (SA-15b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The design verification should include the source code evaluation procedures and the results. (§ 5.2.4 ¶ 4, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • Reviews the development process, standards, tools, and tool options/configurations [FedRAMP Assignment: as needed and as dictated by the current threat posture] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [FedRAMP Assignment: organ… (SA-15b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Require the developer of the system, system component, or system service to perform a criticality analysis: (SA-15(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: … (SA-15b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and (SA-15(3) ¶ 1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and (SA-15(3) ¶ 1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Require the developer of the system, system component, or system service to perform a criticality analysis: (SA-15(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: … (SA-15b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: … (SA-15b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Require the developer of the system, system component, or system service to perform a criticality analysis: (SA-15(3) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and (SA-15(3) ¶ 1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: … (SA-15b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Require the developer of the system, system component, or system service to perform a criticality analysis: (SA-15(3) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and (SA-15(3) ¶ 1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. (SA-15b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Store, retrieve, and manipulate data for analysis of system capabilities and requirements. (T0228, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify cyber capabilities strategies for custom hardware and software development based on mission requirements. (T0250, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies. (T0359, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Store, retrieve, and manipulate data for analysis of system capabilities and requirements. (T0228, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Identify cyber capabilities strategies for custom hardware and software development based on mission requirements. (T0250, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies. (T0359, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at {organizationally documented breadth/depth} and at {organizationally documented decision points in the system development life cycle}. (SA-15(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. (SA-15b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. (SA-15b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle]. (SA-15(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: … (SA-15b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Require the developer of the system, system component, or system service to perform a criticality analysis: (SA-15(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and (SA-15(3) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. (SA-15b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle]. (SA-15(3) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)