Publications
July 19, 2023: URLs for CSRC publication details pages have changed. Legacy URLs should automatically redirect to the new URLs. However, links to the actual publications have NOT changed (e.g., DOIs and PDFs on nvlpubs.nist.gov). Please send inquiries to
csrc-inquiry@nist.gov.
Withdrawn on May 31, 2019.
Security Considerations in the System Development Life Cycle
Documentation
Topics
Date Published: October 2008
Supersedes:
SP 800-64 Rev. 1 (06/16/2004)
Planning Note (05/31/2019):
This withdrawn publication includes content that is out of date. It is provided here for historical reference.
Readers should refer to NIST SP 800-160 Volume 1 for current information about system life cycle processes and systems security engineering. NIST intends to develop a white paper that describes how the Risk Management Framework (SP 800-37 Rev. 2) relates to system development life cycle processes and stages.
Author(s)
Richard Kissel (NIST), Kevin Stine (NIST), Matthew Scholl (NIST), Hart Rossman (SAIC), Jim Fahlsing (SAIC), Jessica Gulick (SAIC)
The purpose of this guideline is to assist agencies in building security into their IT development processes. This should result in more cost-effective, risk-appropriate security control identification, development, and testing. This guide focuses on the information security components of the System Development Life Cycle (SDLC). Overall system implementation and development is considered outside the scope of this document. Also considered outside scope is an organization’s information system governance process. The guideline describes the key security roles and responsibilities that are needed in development of most information systems. Sufficient information about the SDLC is provided to allow a person who is unfamiliar with the SDLC process to understand the relationship between information security and the SDLC.
The purpose of this guideline is to assist agencies in building security into their IT development processes. This should result in more cost-effective, risk-appropriate security control identification, development, and testing. This guide focuses on the information security components of the System...
See full abstract
The purpose of this guideline is to assist agencies in building security into their IT development processes. This should result in more cost-effective, risk-appropriate security control identification, development, and testing. This guide focuses on the information security components of the System Development Life Cycle (SDLC). Overall system implementation and development is considered outside the scope of this document. Also considered outside scope is an organization’s information system governance process. The guideline describes the key security roles and responsibilities that are needed in development of most information systems. Sufficient information about the SDLC is provided to allow a person who is unfamiliar with the SDLC process to understand the relationship between information security and the SDLC.
Hide full abstract
Keywords
Cyber Security; FISMA; SDLC; Computer Security; System Development
Control Families
Planning; System and Services Acquisition