4.2 KiB
| implementation-status | control-origination | |||||
|---|---|---|---|---|---|---|
|
|
sa-15 - [catalog] Development Process, Standards, and Tools
Control Statement
-
[a] Require the developer of the system, system component, or system service to follow a documented development process that:
- [1] Explicitly addresses security and privacy requirements;
- [2] Identifies the standards and tools used in the development process;
- [3] Documents the specific tool options and tool configurations used in the development process; and
- [4] Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
-
[b] Review the development process, standards, tools, tool options, and tool configurations frequency to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: organization-defined security and privacy requirements.
Control guidance
Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.
Control assessment-objective
the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements; the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements; the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process; the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process; the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process; the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process; the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development; the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed frequency to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy security requirements; the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed frequency to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy privacy requirements.
What is the solution and how is it implemented?
Implementation a.
Add control implementation description here for item sa-15_smt.a
Implementation b.
Add control implementation description here for item sa-15_smt.b