Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-15

development process, standards, and tools

assessment objective:

Determine if the organization:

sa-15(a)

requires the developer of the information system, system component, or information system service to follow a documented development process that:

sa-15(a)(1)

explicitly addresses security requirements;

sa-15(a)(2)

identifies the standards and tools used in the development process;

sa-15(a)(3)

sa-15(a)(3)[1]

documents the specific tool options used in the development process;

sa-15(a)(3)[2]

documents the specific tool configurations used in the development process;

sa-15(a)(4)

sa-15(a)(4)[1]

documents changes to the process and/or tools used in the development;

sa-15(a)(4)[2]

manages changes to the process and/or tools used in the development;

sa-15(a)(4)[3]

ensures the integrity of changes to the process and/or tools used in the development;

sa-15(b)

sa-15(b)[1]

defines a frequency to review the development process, standards, tools, and tool options/configurations;

sa-15(b)[2]

defines security requirements to be satisfied by the process, standards, tools, and tool option/configurations selected and employed; and

sa-15(b)[3]

sa-15(b)[3][a]

reviews the development process with the organization-defined frequency to determine if the process selected and employed can satisfy organization-defined security requirements;

sa-15(b)[3][b]

reviews the development standards with the organization-defined frequency to determine if the standards selected and employed can satisfy organization-defined security requirements;

sa-15(b)[3][c]

reviews the development tools with the organization-defined frequency to determine if the tools selected and employed can satisfy organization-defined security requirements; and

sa-15(b)[3][d]

reviews the development tool options/configurations with the organization-defined frequency to determine if the tool options/configurations selected and employed can satisfy organization-defined security requirements.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing development process, standards, and tools; procedures addressing the integration of security requirements during the development process; solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; system developer documentation listing tool options/configuration guides, configuration management records; change control records; configuration control records; documented reviews of development process, standards, tools, and tool options/configurations; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; system developer].