>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SA-8(29)Security and Privacy Engineering Principles | Repeatable and Documented Procedures

IL5
IL6

>Control Description

Implement the security design principle of repeatable and documented procedures in organization-defined systems or system components.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

The principle of repeatable and documented procedures states that the techniques and methods employed to construct a system component permit the same component to be completely and correctly reconstructed at a later time. Repeatable and documented procedures support the development of a component that is identical to the component created earlier, which may be in widespread use. In the case of other system artifacts (e.g., documentation and testing results), repeatability supports consistency and the ability to inspect the artifacts.

Repeatable and documented procedures can be introduced at various stages within the system development life cycle and contribute to the ability to evaluate assurance claims for the system. Examples include systematic procedures for code development and review, procedures for the configuration management of development tools and system artifacts, and procedures for system delivery.

>Related Controls

CM-1
SA-1
SA-10
SA-11
SA-15
SA-17
SC-1
SI-1

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What acquisition policies and procedures address the requirements of SA-8(29)?
  • How are security and privacy requirements integrated into the acquisition process?
  • Who is responsible for ensuring that acquisitions comply with SA-8(29)?
  • How is security integrated throughout your system development lifecycle (SDLC)?

Technical Implementation:

  • How are security requirements defined and documented in acquisition contracts?
  • What mechanisms ensure that acquired systems and services meet security requirements?
  • How do you validate that vendors and service providers comply with specified security controls?
  • What security practices are required at each phase of the SDLC?
  • What secure coding practices and standards are required for developers?

Evidence & Documentation:

  • Can you provide examples of acquisition documentation that includes security requirements?
  • What evidence demonstrates that acquired systems meet security specifications?
  • Where is acquisition security documentation maintained throughout the system lifecycle?
  • Can you show evidence of security activities performed during development?
  • Can you provide code review or static analysis results?

Ask AI

Configure your API key to use AI features.