SYSTEM LIFE CYCLE CONSIDERATIONS
OTHER FACTORS EFFECTING THE EXECUTION OF THE RMF
All systems, including operational systems, systems under development, and systems that are undergoing modification or upgrade, are in some phase of the SDLC.166 Defining requirements is a critical part of an SDLC process and begins in the initiation phase.167 Security and privacy requirements are part of the functional and nonfunctional168 requirements allocated to a system. The security and privacy requirements are incorporated into the SDLC simultaneously with the other requirements. Without the early integration of security and privacy requirements, significant expense may be incurred by the organization later in the life cycle to address security and privacy concerns that could have been included in the initial design. When security and privacy requirements are defined early in the SDLC and integrated with other system requirements, the resulting system has fewer deficiencies, and therefore, fewer privacy risks or security vulnerabilities that can be exploited in the future.
Integrating security and privacy requirements into the SDLC is the most effective, efficient, and cost-effective method to ensure that the organization’s protection strategy is implemented. It also ensures that security and privacy processes are not isolated from the other processes used by the organization to develop, implement, operate, and maintain the systems supporting ongoing missions and business functions. In addition to incorporating security and privacy requirements into the SDLC, the requirements are integrated into the organization’s program, planning, and budgeting activities to help ensure that resources are available when needed and program and project milestones are completed. The enterprise architecture provides a central record of this integration within an organization.
RISK MANAGEMENT IN THE SYSTEM DEVELOPMENT LIFE CYCLE
Risk management activities begin early in the SDLC and continue throughout the life cycle. These activities are important in helping to shape the security and privacy capabilities of the system; ensuring that the necessary controls are implemented and that the security and privacy risks are being adequately addressed on an ongoing basis; and ensuring that the authorizing officials understand the current security and privacy posture of the system in order to accept the risk to organizational operations and assets, individuals, other organizations, and the Nation.
Ensuring that security and privacy requirements are integrated into the SDLC helps facilitate the development and implementation of more resilient systems to reduce the security and privacy risks (including supply chain risks) to organizational operations and assets, individuals, other organizations, and the Nation. This can be accomplished by using the concept of integrated project teams.169 Organizational officials ensure that security and privacy professionals are part of the SDLC activities. Such team integration fosters an increased level of cooperation among personnel responsible for the design, development, implementation, assessment, operation, maintenance, and disposition of systems and the security and privacy professionals advising the senior leadership on the controls needed to adequately mitigate security and privacy risks and protect organizational missions and business functions.
Finally, organizations maximize the use of security- and privacy-relevant information generated during the SDLC process to satisfy requirements for similar information needed for other security and privacy purposes. The reuse of security and privacy information is an effective method to reduce duplication of effort and documentation; promote reciprocity; and avoid unnecessary costs when security and privacy activities are conducted independently of the SDLC processes. Reuse promotes consistency of information in the development, implementation, assessment, operation, maintenance, and disposition of systems including security and privacy considerations.
166 There are five phases in the SDLC including initiation; development and acquisition; implementation; operation and maintenance; and disposal. [SP 800-64] provides guidance on the SDLC.
167 Organizations may employ a variety of development processes (e.g., waterfall, spiral, or agile).
168 Nonfunctional requirements include, for example, quality and assurance requirements.
169 Integrated project teams are multidisciplinary entities consisting of individuals with a range of skills and roles to help facilitate the development of systems that meet the requirements of the organization.
THE IMPORTANCE OF ARCHITECTURE AND ENGINEERING
Security architects, privacy architects, systems security engineers, and privacy engineers can play an essential role in the SDLC and in the successful execution of the RMF. Security and privacy architects and engineers provide system owners and authorizing officials with technical advice on the selection and implementation of controls in information systems—guiding and informing risk-based decisions across the enterprise.
Security and Privacy Architects:
- Ensure that security and privacy requirements necessary to protect mission and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the systems supporting those missions and business processes.
- Serve as the primary liaison between the enterprise architect and the systems security and privacy engineers.
- Coordinate with system owners, common control providers, and system security and privacy officers on the allocation of controls.
- Advise authorizing officials, chief information officers, senior accountable officials for risk management/risk executive (function), senior agency information security officers, and senior agency officials for privacy on a range of security and privacy issues.
Security and Privacy Engineers:
- Ensure that security and privacy requirements are integrated into systems and system elements through purposeful security or privacy architecting, design, development, and configuration.
- Employ best practices when implementing controls within a system, including the use of software engineering methodologies; systems security or privacy engineering principles; secure or privacy-enhancing design, secure or privacy-enhancing architecture, and secure or privacy-enhancing coding techniques.
- Coordinate security and privacy activities with senior agency information security officers, senior agency officials for privacy, system owners, common control providers, security and privacy architects, and system security or privacy officers.