SA-3

System and Services AcquisitionRev 5organization

System Development Life Cycle

Baselines:LowModerateHighPrivacy

Control Statement

a. Acquire, develop, and manage the system using [Assignment: system-development life cycle] that incorporates information security and privacy considerations; b. Define and document information security and privacy roles and responsibilities throughout the system development life cycle; c. Identify individuals having information security and privacy roles and responsibilities; and d. Integrate the organizational information security and privacy risk management process into system development life cycle activities.

Supplemental Guidance

A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle.

Related Controls (14)

AT-3 PL-8 PM-7 SA-4 SA-5 SA-8 SA-11 SA-15 SA-17 SA-22 SR-3 SR-4 SR-5 SR-9

CCI Identifiers (16)

CCI-000618Identify individuals having information system security roles and responsibilities.CCI-000615Manage the system using an organization-defined system development life cycle that incorporates information security considerations.CCI-000616Define and document information system security roles and responsibilities throughout the system development life cycle.CCI-000617The organization documents information system security roles and responsibilities throughout the system development life cycle.CCI-003092Defines a system development life cycle that is used to manage the system.CCI-003093Integrate the organizational information security risk management process into system development life cycle activities.CCI-004669Acquire the system using an organization-defined system development life cycle that incorporates information security considerations.CCI-004674Defines a system development life cycle that is used to develop the system.

Linked STIG Checks (0)

No STIG checks reference this control.