Security and privacy assessments can be effectively carried out at various stages in the system development life cycle15 to increase the grounds for confidence that the security and privacy controls employed within or inherited by an information system are effective in their application. This publication provides a comprehensive set of assessment procedures to support security and privacy assessment activities throughout the system development life cycle. For example, security assessments are routinely conducted by system developers and system integrators during the development/acquisition and implementation phases of the life cycle. Privacy assessments are conducted by senior agency officials for privacy/privacy officers and privacy staff in these early life cycle phases as well. This helps to ensure that the required security and privacy controls for the system are properly designed and developed, correctly implemented, and consistent with the established organizational information security architecture before the system enters the operations and maintenance phase. Security assessments in the initial system development life cycle phases include, for example, design and code reviews, application scanning, and regression testing. Privacy assessments include reviews to ensure that applicable privacy laws and policies are adhered to and that privacy protections are embedded in system design. Security-related and privacy-related weaknesses and deficiencies identified early in the system development life cycle can be resolved more quickly and in a much more cost-effective manner before proceeding to subsequent phases in the life cycle. The objective is to identify the security and privacy controls early in the life cycle to ensure that the system design and testing validate the implementation of these controls. The assessment procedures described in Appendices F and J support assessments carried out during the initial stages of the system development life cycle.

Security and privacy assessments are also conducted during the operations and maintenance phase of the life cycle to ensure that security and privacy controls continue to be effective in the operational environment and can protect against constantly evolving threats. Security assessments are typically conducted by information system owners, common control providers, information system security officers, independent assessors, auditors, and Inspectors General. Privacy assessments are typically conducted by senior agency officials for privacy/privacy officers and privacy staff. For example, organizations assess all security controls and privacy controls employed within and inherited by the information system during the initial security authorization. Subsequent to the initial authorization, the organization assesses all implemented security controls on an ongoing basis in accordance with its Information Security Continuous Monitoring strategy.16 Privacy controls are also assessed on an ongoing basis to ensure compliance with applicable privacy laws and policies. The ongoing assessment and monitoring of security controls and privacy controls use the assessment procedures defined in this publication. The frequency of such assessments and monitoring is determined by the organization and/or information system owner or common control provider and approved by the authorizing official. Finally, at the end of the life cycle, security assessments are conducted to ensure that important organizational information is purged from the information system prior to disposal. Privacy assessments are also conducted to ensure adherence to organizational retention schedules.