STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

SA-15

System and Services AcquisitionRev 5organization

Development Process, Standards, and Tools

Baselines:ModerateHigh

Control Statement

a. Require the developer of the system, system component, or system service to follow a documented development process that: 1. Explicitly addresses security and privacy requirements; 2. Identifies the standards and tools used in the development process; 3. Documents the specific tool options and tool configurations used in the development process; and 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b. Review the development process, standards, tools, tool options, and tool configurations [Assignment: frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements].

Supplemental Guidance

Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.

Related Controls (11)

MA-6SA-3SA-4SA-8SA-10SA-11SR-3SR-4SR-5SR-6SR-9

CCI Identifiers (21)

CCI-003233Require the developer of the system, system component, or system service to follow a documented development process.CCI-003234Require the developer of the system, system component, or system service to follow a documented development process that explicitly addresses security requirements.CCI-003235Require the developer of the system, system component, or system service to follow a documented development process that identifies the standards used in the development process.CCI-003238Require the developer of the system, system component, or system service to follow a documented development process that documents changes to the process and/or tools used in development.CCI-003237Require the developer of the system, system component, or system service to follow a documented development process that documents the specific tool options and tool configurations used in the development process.CCI-003239Require the developer of the system, system component, or system service to follow a documented development process that manages changes to the process and/or tools used in development.CCI-004816Require the developer of the system, system component, or system service to follow a documented development process that explicitly addresses privacy requirements.

Linked STIG Checks (2)

Across 1 STIGs. Click to expand.

CCI-004817Review the development process in accordance with organization-defined frequency to determine if the development process selected and employed can satisfy organization-defined privacy requirements.
CCI-004818Review the development standards in accordance with organization-defined frequency to determine if the development standards selected and employed can satisfy organization-defined privacy requirements.
CCI-004819Review the development tools in accordance with organization-defined frequency to determine if the development tools selected and employed can satisfy organization-defined privacy requirements.
CCI-003236Require the developer of the system, system component, or system service to follow a documented development process that identifies the tools used in the development process.
CCI-004820Review the development tool options/configurations in accordance with organization-defined frequency to determine if the development tool options and tool configurations selected and employed can satisfy organization-defined privacy requirements.
CCI-004821Defines the frequency on which to review the development process, standards, tools, and tool options/configurations to determine if the process, standards, tools, and tool options and tool configurations selected and employed can satisfy organization-defined privacy requirements.
CCI-004822Defines the privacy requirements that must be satisfied by conducting a review of the development process, standards, tools, and tool options and tool configurations.
CCI-003240Require the developer of the system, system component, or system service to follow a documented development process that ensures the integrity of changes to the process and/or tools used in development.
CCI-003241Review the development process in accordance with organization-defined frequency to determine if the development process selected and employed can satisfy organization-defined security requirements.
CCI-003242Review the development standards in accordance with organization-defined frequency to determine if the development standards selected and employed can satisfy organization-defined security requirements.
CCI-003243Review the development tools in accordance with organization-defined frequency to determine if the development tools selected and employed can satisfy organization-defined security requirements.
CCI-003244Review the development tool options/configurations in accordance with organization-defined frequency to determine if the development tool options and tool configurations selected and employed can satisfy organization-defined security requirements.
CCI-003245Defines the frequency on which to review the development process, standards, tools, and tool options/configurations to determine if the process, standards, tools, and tool options and tool configurations selected and employed can satisfy organization-defined security requirements.
CCI-003246Defines the security requirements that must be satisfied by conducting a review of the development process, standards, tools, and tool options and tool configurations.