APPENDIX H

SYSTEM LIFE CYCLE CONSIDERATIONS

OTHER FACTORS EFFECTING THE EXECUTION OF THE RMF

All systems, including operational systems, systems under development, and systems that are undergoing modification or upgrade, are in some phase of the SDLC.¹⁶⁶ Defining requirements is a critical part of an SDLC process and begins in the initiation phase.167 Security and privacy requirements are part of the functional and nonfunctional¹⁶⁸ requirements allocated to a system. The security and privacy requirements are incorporated into the SDLC simultaneously with the other requirements. Without the early integration of security and privacy requirements, significant expense may be incurred by the organization later in the life cycle to address security and privacy concerns that could have been included in the initial design. When security and privacy requirements are defined early in the SDLC and integrated with other system requirements, the resulting system has fewer deficiencies, and therefore, fewer privacy risks or security vulnerabilities that can be exploited in the future.

Integrating security and privacy requirements into the SDLC is the most effective, efficient, and cost-effective method to ensure that the organization’s protection strategy is implemented. It also ensures that security and privacy processes are not isolated from the other processes used by the organization to develop, implement, operate, and maintain the systems supporting ongoing missions and business functions. In addition to incorporating security and privacy requirements into the SDLC, the requirements are integrated into the organization’s program, planning, and budgeting activities to help ensure that resources are available when needed and program and project milestones are completed. The enterprise architecture provides a central record of this integration within an organization.

Ensuring that security and privacy requirements are integrated into the SDLC helps facilitate the development and implementation of more resilient systems to reduce the security and privacy risks (including supply chain risks) to organizational operations and assets, individuals, other organizations, and the Nation. This can be accomplished by using the concept of integrated project teams.¹⁶⁹ Organizational officials ensure that security and privacy professionals are part of the SDLC activities. Such team integration fosters an increased level of cooperation among personnel responsible for the design, development, implementation, assessment, operation, maintenance, and disposition of systems and the security and privacy professionals advising the senior leadership on the controls needed to adequately mitigate security and privacy risks and protect organizational missions and business functions.

Finally, organizations maximize the use of security- and privacy-relevant information generated during the SDLC process to satisfy requirements for similar information needed for other security and privacy purposes. The reuse of security and privacy information is an effective method to reduce duplication of effort and documentation; promote reciprocity; and avoid unnecessary costs when security and privacy activities are conducted independently of the SDLC processes. Reuse promotes consistency of information in the development, implementation, assessment, operation, maintenance, and disposition of systems including security and privacy considerations.

¹⁶⁶ There are five phases in the SDLC including initiation; development and acquisition; implementation; operation and maintenance; and disposal. [SP 800-64] provides guidance on the SDLC.

¹⁶⁷ Organizations may employ a variety of development processes (e.g., waterfall, spiral, or agile).

¹⁶⁸ Nonfunctional requirements include, for example, quality and assurance requirements.

¹⁶⁹ Integrated project teams are multidisciplinary entities consisting of individuals with a range of skills and roles to help facilitate the development of systems that meet the requirements of the organization.