Back

Evaluate system development projects for compliance with the system requirements specifications.


CONTROL ID
06903
CONTROL TYPE
Systems Design, Build, and Implementation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform Quality Management on all newly developed or modified systems., CC ID: 01100

This Control has the following implementation support Control(s):
  • Evaluate each system development project to verify it remains feasible., CC ID: 06904
  • Cancel or suspend system development projects if the benefits do not outweigh the disadvantages., CC ID: 06905


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • When employing new technologies utilizing Internet-based services (such as cloud computing services) in response to changing business environments, it is necessary both to consider matters such as domestic and foreign laws, regulations, and assessment systems and to carry out continual confirmation … (C7.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Planning and design controls would typically be in place to ensure that IT security is embodied in the overall IT architecture. Solutions implemented would normally comply with the IT security requirements of a regulated institution (as embodied in the IT security risk management framework), includi… (¶ 53, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The IT system is reviewed for compliance with specifications prior to productive use. (5.3.1 Requirements (should) Bullet 3, Information Security Assessment, Version 5.1)
  • The measures thus derived are reviewed regularly during the project and reassessed in case of changes to the assessment criteria. (C, I, A) (1.2.3 Additional requirements for high protection needs Bullet 1, Information Security Assessment, Version 5.1)
  • The system development methodology should ensure that applications are developed to comply with contractual requirements (e.g., those relating to external parties such as customers, clients, and suppliers). (CF.17.01.03c, The Standard of Good Practice for Information Security)
  • The system development methodology should require that initiatives are driven by business requirements (i.e., they are not technology-led). (CF.17.01.04b, The Standard of Good Practice for Information Security)
  • The system development methodology should ensure that applications are developed to comply with contractual requirements (e.g., those relating to external parties such as customers, clients, and suppliers). (CF.17.01.03c, The Standard of Good Practice for Information Security, 2013)
  • The system development methodology should require that initiatives are driven by business requirements (i.e., they are not technology-led). (CF.17.01.04b, The Standard of Good Practice for Information Security, 2013)
  • The organization shall evaluate current projects to verify that they comply with the project directives. (§ 6.2.3.3(b)(1)(ii), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The new or changed services shall be tested to verify the service requirements and documented design are met. (§ 5.4 ¶ 1, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. (SA-15b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The design verification should include the source code evaluation procedures and the results. (§ 5.2.4 ¶ 4, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • Reviews the development process, standards, tools, and tool options/configurations [FedRAMP Assignment: as needed and as dictated by the current threat posture] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [FedRAMP Assignment: organ… (SA-15b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Require the developer of the system, system component, or system service to perform a criticality analysis: (SA-15(3) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and (SA-15(3) ¶ 1(a), FedRAMP Security Controls High Baseline, Version 5)
  • Review the development process, standards, tools, tool options, and tool configurations [FedRAMP Assignment: frequency as before first use and annually thereafter] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following secu… (SA-15b., FedRAMP Security Controls High Baseline, Version 5)
  • Require the developer of the system, system component, or system service to perform a criticality analysis: (SA-15(3) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and (SA-15(3) ¶ 1(a), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Review the development process, standards, tools, tool options, and tool configurations [FedRAMP Assignment: frequency at least annually] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requireme… (SA-15b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Require the developer of the system, system component, or system service to perform a criticality analysis: (SA-15(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: … (SA-15b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and (SA-15(3) ¶ 1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and (SA-15(3) ¶ 1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Require the developer of the system, system component, or system service to perform a criticality analysis: (SA-15(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: … (SA-15b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: … (SA-15b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Require the developer of the system, system component, or system service to perform a criticality analysis: (SA-15(3) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and (SA-15(3) ¶ 1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: … (SA-15b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Require the developer of the system, system component, or system service to perform a criticality analysis: (SA-15(3) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and (SA-15(3) ¶ 1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. (SA-15b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Store, retrieve, and manipulate data for analysis of system capabilities and requirements. (T0228, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify cyber capabilities strategies for custom hardware and software development based on mission requirements. (T0250, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies. (T0359, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Store, retrieve, and manipulate data for analysis of system capabilities and requirements. (T0228, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Identify cyber capabilities strategies for custom hardware and software development based on mission requirements. (T0250, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies. (T0359, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at {organizationally documented breadth/depth} and at {organizationally documented decision points in the system development life cycle}. (SA-15(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. (SA-15b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. (SA-15b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle]. (SA-15(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: … (SA-15b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Require the developer of the system, system component, or system service to perform a criticality analysis: (SA-15(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and (SA-15(3) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: … (SA-15b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Require the developer of the system, system component, or system service to perform a criticality analysis: (SA-15(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and (SA-15(3) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements]. (SA-15b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle]. (SA-15(3) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)