>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SA-3System Development Life Cycle

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Acquire, develop, and manage the system using organization-defined system development life cycle that incorporates information security and privacy considerations;

b

Define and document information security and privacy roles and responsibilities throughout the system development life cycle;

c

Identify individuals having information security and privacy roles and responsibilities; and

d

Integrate the organizational information security and privacy risk management process into system development life cycle activities.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions.

The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.

The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle.

>Programmatic Queries

Beta

Related Services

AWS CodePipeline
AWS CodeCommit
AWS CodeBuild

CLI Commands

List CodePipeline pipelines
aws codepipeline list-pipelines
Get pipeline execution history
aws codepipeline list-pipeline-executions --pipeline-name PIPELINE_NAME
List CodeBuild projects
aws codebuild list-projects
Get pipeline state
aws codepipeline get-pipeline-state --name PIPELINE_NAME
Open AWS ConsoleDocumentation

>Related Controls

AT-3
PL-8
PM-7
SA-4
SA-5
SA-8
SA-11
SA-15
SA-17
SA-22
SR-3
SR-4
SR-5
SR-9

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What acquisition policies and procedures address the requirements of SA-3?
  • How are security and privacy requirements integrated into the acquisition process?
  • Who is responsible for ensuring that acquisitions comply with SA-3?
  • How is security integrated throughout your system development lifecycle (SDLC)?
  • How do you assess and monitor the security posture of suppliers and vendors?

Technical Implementation:

  • How are security requirements defined and documented in acquisition contracts?
  • What mechanisms ensure that acquired systems and services meet security requirements?
  • How do you validate that vendors and service providers comply with specified security controls?
  • What security practices are required at each phase of the SDLC?
  • What secure coding practices and standards are required for developers?

Evidence & Documentation:

  • Can you provide examples of acquisition documentation that includes security requirements?
  • What evidence demonstrates that acquired systems meet security specifications?
  • Where is acquisition security documentation maintained throughout the system lifecycle?
  • Can you show evidence of security activities performed during development?
  • Can you provide code review or static analysis results?

Ask AI

Configure your API key to use AI features.