Report: SP 800-64 Security Considerations in the Information System
Development Life Cycle,
Considerations in the Information System Development Life Cycle
NIST SPECIAL PUBLICATION 800-64 EXECUTIVE
Including security early in the information system development
life cycle (SDLC) will usually result in less expensive and more
effective security than adding it to an operational system. This
guide presents a framework for incorporating security into all
phases of the SDLC process, from initiation to disposal. This document
is a guide to help agencies select and acquire cost-effective security
controls by explaining how to include information system security
requirements in appropriate phases of the SDLC.
A general SDLC is discussed in this guide that includes the following
phases: initiation, acquisition/development, implementation, operations/maintenance,
and disposition. Each of these five phases includes a minimum set
of security steps needed to effectively incorporate security into
a system during its development. An organization will either use
the general SDLC described in this document or will have developed
a tailored SDLC that meets their specific needs. In either case,
NIST recommends that organizations incorporate the associated IT
security steps of this general SDLC into their development process:
– Security Categorization – defines
three levels (i.e., low, moderate, or high) of potential impact
on organizations or
individuals should there be a breach of security (a loss of confidentiality,
integrity, or availability). Security categorization standards
assist organizations in making the appropriate selection of security
controls for their information systems.
– Preliminary Risk Assessment – results
in an initial description of the basic security needs of the
system. A preliminary
risk assessment should define the threat environment in which the
system will operate.
/ Development Phase –
– Risk Assessment – analysis
that identifies the protection requirements for the system through
a formal risk assessment process.
This analysis builds on the initial risk assessment performed during
the Initiation phase, but will be more in-depth and specific.
– Security Functional Requirements Analysis – analysis
of requirements that may include the following components: (1)
system security environment, (i.e., enterprise information security
policy and enterprise security architecture) and (2) security functional
– Security Assurance Requirements Analysis – analysis
of requirements that address the developmental activities required
and assurance evidence needed to produce the desired level of confidence
that the information security will work correctly and effectively.
The analysis, based on legal and functional security requirements,
will be used as the basis for determining how much and what kinds
of assurance are required.
– Cost Considerations and Reporting – determines
how much of the development cost can be attributed to information
over the life cycle of the system. These costs include hardware,
software, personnel, and training
– Security Planning – ensures that agreed upon security
controls, planned or in place, are fully documented. The security
plan also provides a complete characterization or description of
the information system as well as attachments or references to
key documents supporting the agency’s information security
program (e.g., configuration management plan, contingency plan,
incident response plan, security awareness and training plan, rules
of behavior, risk assessment, security test and evaluation results,
system interconnection agreements, security authorizations/accreditations,
and plan of action and milestones).
– Security Control Development – ensures
that security controls described in the respective security plans
developed, and implemented. For information systems currently in
operation, the security plans for those systems may call for the
development of additional security controls to supplement the controls
already in place or the modification of selected controls that
are deemed to be less than effective.
– Developmental Security Test and Evaluation – ensures
that security controls developed for a new information system are
working properly and are effective. Some types of security controls
(primarily those controls of a non-technical nature) cannot be
tested and evaluated until the information system is deployed—these
controls are typically management and operational controls.
– Other Planning Components – ensures
that all necessary components of the development process are
considered when incorporating
security into the life cycle. These components include selection
of the appropriate contract type, participation by all necessary
functional groups within an organization, participation by the
certifier and accreditor, and development and execution of necessary
contracting plans and processes.
Implementation Phase –
– Inspection and Acceptance – ensures
that the organization validates and verifies that the functionality
described in the
specification is included in the deliverables.
– Security Control Integration – ensures
that security controls are integrated at the operational site
where the information
system is to be deployed for operation. Security control settings
and switches are enabled in accordance with vendor instructions
and available security implementation guidance.
– Security Certification – ensures that the controls
are effectively implemented through established verification techniques
and procedures and gives organization officials confidence that
the appropriate safeguards and countermeasures are in place to
protect the organization’s information system. Security certification
also uncovers and describes the known vulnerabilities in the information
– Security Accreditation – provides
the necessary security authorization of an information system
to process, store,
or transmit information that is required. This authorization is
granted by a senior organization official and is based on the verified
effectiveness of security controls to some agreed
upon level of assurance and an identified residual risk to agency
assets or operations.
Operations / Maintenance Phase –
– Configuration Management and Control – ensures
adequate consideration of the potential security impacts due
changes to an information system or its surrounding environment.
Configuration management and configuration control procedures are
critical to establishing an initial baseline of hardware, software,
and firmware components for the information system and subsequently
controlling and maintaining an accurate inventory of any changes
to the system.
– Continuous Monitoring – ensures
that controls continue to be effective in their application through
periodic testing and
evaluation. Security control monitoring (i.e., verifying the continued
effectiveness of those controls over time) and reporting the security
status of the information system to appropriate agency officials
is an essential activity of a comprehensive information security
Disposition Phase –
– Information Preservation – ensures
that information is retained, as necessary, to conform to current
and to accommodate future technology changes that may render the
retrieval method obsolete.
– Media Sanitization– ensures
that data is deleted, erased, and written over as necessary.
– Hardware and Software Disposal – ensures
that hardware and software is disposed of as directed by the
security officer. After discussing these phases and the information
security steps in detail, the guide provides specifications, tasks,
and clauses that can be used in an RFP to acquire information security
features, procedures, and assurances.
Report: SP 800-64 Security Considerations in the Information System
Development Life Cycle, October 2003