The most effective way to protect information and information systems is to integrate
security into every step of the system development process, from the initiation of a
project to develop a system to its disposition. The multistep process that starts with the
initiation, analysis, design, and implementation, and continues through the maintenance
and disposal of the system, is called the System Development Life Cycle (SDLC).
NIST…[ National Institute of Standards and
Technology]SP 800-64 helps organizations integrate specific security steps into a linear and
sequential SDLC process.
For any SDLC model that is used, information security must be integrated into
the SDLC to ensure appropriate protection for the information that the system will
transmit, process, and store.
Applying the risk management process to system development enables organizations to
balance requirements for the protection of agency information and assets with the cost of
security controls and mitigation strategies throughout the SDLC. Risk management
processes identify critical assets and operations, as well as systemic vulnerabilities across
the organization. Risks are often shared throughout the organization and are not specific
to certain system architectures.
Some of the benefits of integrating security into the system development life cycle
Early identification and mitigation of security vulnerabilities and problems with
the configuration of systems, resulting in lower costs to implement security
controls and mitigation of vulnerabilities;
Awareness of potential engineering challenges caused by mandatory security
Identification of shared security services and reuse of security strategies and tools
that will reduce development costs and improve the system’s security posture
through the application of proven methods and techniques;
Facilitation of informed executive decision making through the application of a
comprehensive risk management process in a timely manner;
Documentation of important security decisions made during the development
process to inform management about security considerations during all phases of
Improved organization and customer confidence to facilitate adoption and use of
systems, and improved confidence in the continued investment in government
Improved systems interoperability and integration that would be difficult to
achieve if security is considered separately at various system levels.
Additional Security Considerations
Some IT development projects are service-based and may involve other organizations,
such as public-private sector supply chain endeavors. Other projects are facility-oriented,
such as the establishment of a data center or a hot site. Organizations developing projects
such as these should follow the principles for integrating security into the SDLC, as they
examine and address the additional security considerations involved in these projects.
NIST SP 800-64 is a reference document that should be used in conjunction with other
NIST publications throughout the development of the system.
Publications developed by NIST help information management and information security
personnel in planning and implementing a comprehensive approach to information
security. The general security of information systems depends upon attention to basic
issues such as security planning, certification and accreditation, risk management,
categorization of systems, and use of security controls. Organizations can draw upon
NIST standards and guidelines to carry out their SDLC activities, including the
Federal Information Processing Standard (FIPS) 140-2, Security Requirements for
FIPS 199, Standards for Security Categorization of Federal Information and Information
FIPS 200, Minimum Security Requirements for Federal Information and Information
NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Information
NIST SP 800-30, Risk Management Guide for Information Technology Systems.