The system development life cycle is the overall process of developing, implementing,
and retiring information systems through a multistep process from initiation, analysis,
design, implementation, and maintenance to disposal. There are many different SDLC
models and methodologies, but each generally consists of a series of defined steps or
phases. For any SDLC model that is used, information security must be integrated into
the SDLC to ensure appropriate protection for the information that the system will
transmit, process, and store.
Applying the risk management process to system development enables organizations to
balance requirements for the protection of agency information and assets with the cost of
security controls and mitigation strategies throughout the SDLC. Risk management
processes identify critical assets and operations, as well as systemic vulnerabilities across
the organization. Risks are often shared throughout the organization and are not specific
to certain system architectures.
Some of the benefits of integrating security into the system development life cycle
- Early identification and mitigation of security vulnerabilities and problems with
the configuration of systems, resulting in lower costs to implement security
controls and mitigation of vulnerabilities;
- Awareness of potential engineering challenges caused by mandatory security
- Identification of shared security services and reuse of security strategies and tools
that will reduce development costs and improve the system’s security posture
through the application of proven methods and techniques;
- Facilitation of informed executive decision making through the application of a
comprehensive risk management process in a timely manner.
- Documentation of important security decisions made during the development
process to inform management about security considerations during all phases of
- Improved organization and customer confidence to facilitate adoption and use of
systems, and improved confidence in the continued investment in government
- Improved systems interoperability and integration that would be difficult to
achieve if security is considered separately at various system levels.