SA-15: Development Process, Standards, And Tools

Generated

2019-05-20 15:48:11.984914

Status

Skipped

Statements

The organization:

Code Description
SA-15a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
SA-15a.1. Explicitly addresses security requirements;
SA-15a.2. Identifies the standards and tools used in the development process;
SA-15a.3. Documents the specific tool options and tool configurations used in the development process; and
SA-15a.4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
SA-15b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements].

Additional Guidance

Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes.