SA-15 Development Process, Standards, and Tools
a. Require the developer of the system, system component, or system service to follow a documented development process that:
1. Explicitly addresses security and privacy requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Review the development process, standards, tools, tool options, and tool configurations sa-15_odp.01 to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: sa-15_prm_2.
| Parameter ID | Definition |
|---|---|
| sa-15_prm_2 | organization-defined security and privacy requirements |
| sa-15_odp.01 | frequency |
| sa-15_odp.02 | security requirements |
| sa-15_odp.03 | privacy requirements |
Baselines
- L
- M
- H
- P
Guidance
Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.
References 2
- SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
- IR 8179 Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179.
Control Enhancements 12
- SA-15(01) Quality Metrics L M H P
- SA-15(02) Security and Privacy Tracking Tools L M H P
- SA-15(03) Criticality Analysis L M H P
- SA-15(04) Threat Modeling and Vulnerability Analysis
- SA-15(05) Attack Surface Reduction L M H P
- SA-15(06) Continuous Improvement L M H P
- SA-15(07) Automated Vulnerability Analysis L M H P
- SA-15(08) Reuse of Threat and Vulnerability Information L M H P
- SA-15(09) Use of Live Data
- SA-15(10) Incident Response Plan L M H P
- SA-15(11) Archive System or Component L M H P
- SA-15(12) Minimize Personally Identifiable Information L M H P
Related controls 11
- MA-06 Timely Maintenance L M H P
- SA-03 System Development Life Cycle L M H P
- SA-04 Acquisition Process L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SA-10 Developer Configuration Management L M H P
- SA-11 Developer Testing and Evaluation L M H P
- SR-03 Supply Chain Controls and Processes L M H P
- SR-04 Provenance L M H P
- SR-05 Acquisition Strategies, Tools, and Methods L M H P
- SR-06 Supplier Assessments and Reviews L M H P
- SR-09 Tamper Resistance and Detection L M H P