Version 1
High-Level Life Cycle Diagram
Purpose
The information system development life cycle (SDLC) spans the entire time that a system has been conceptualized, planned, designed, developed, procured, installed, and implemented, maintained, and finally retired from service. Independent testing and certification of security controls is required of all government information systems. It is mandatory that security measures be included early in the life cycle of all NASA programs and projects. Incorporating security early in the SDLC will result in less expensive and more effective security than retrofitting security into an already operational system. Additionally, incorporating security early in the life cycle will provide greater assurance that the system is adequately protected to pass certification testing and therefore be accredited to operate.
The following activities are performed in each of the five phases of the SDLC.
(1) Initiation Phase
(a) Identify Mission Requirements – An initial definition of a problem that might be solved through automation. The idea for a new or substantially upgraded system and the feasibility of the idea are explored.
(b) Capital Planning – Integration of IT security into the capital planning and investment process through a systematic approach to selecting, managing, and evaluating cyber security investments. See NPR 2810.1, Chapter 3 and NPR 2810.1 SG12.3 Capital Planning.
(c) Security Categorization and System Type Identification –Defines three levels (i.e., low, moderate, or high) of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability.) Security categorization standards assist organizations in making the appropriate selection of security controls for their information systems. See NPR 2810.1, Chapter 10, Categorization of Information. Determine whether the system should be a major application or a general support system. See NPR 2810.1, Chapter 11, Information System Types, and NPR 2810.1, SG 6.1, Categorization of Information and Impact Levels.
(d) Identification of Master and Subordinate System Plans – Determines whether the proposed requirement can be met as a subordinate system to an existing master plan, or whether the requirements should be met with a new master plan. See NPR 2810.1, chapter 13, and NPR 2810.1, SG 1.1, Designation of Master and Subordinate IT Security Plans.
(e) Preliminary Risk Assessment –Results in an initial description of the basic security needs of the system and defines the threat environment in which the system will operate. See NPR 2810.1, chapter 16, Risk Management, and NPR 2810.1, SG 2.1, Risk Management Process and Templates.
(2) Acquisition/Development Phase
(a) Requirements Analysis -- Establish and document requirements for information system resources in the Acquisition/Development phase by conducting a requirements analysis, which is an in-depth study of need, commensurate with the size and complexity of the need. The requirements analysis is an in-depth study of the need. The requirements analysis draws on and further develops the work performed during the Initiation phase.
(b) Security Operational Requirements Analysis – Analyze the requirements that may include system security environment including enterprise architecture, security functional requirements, and analysis of laws and regulations.
(c) Acquisition – Selection of the appropriate contract type, participation by all necessary functional groups within an organization, participation by the certifier and accreditor, and development and execution of necessary contracting plans and processes.
(d) Risk Assessment and Risk Mitigation Plan – Identify the protection requirements for the system through a formal risk assessment process. This analysis builds on the initial risk assessment performed during the Initiation phase, but is more in-depth and specific. The risk assessment brings together important information with regard to the protection of the information and information system and generates essential information required for the security plan. The risk assessment will be conducted before the approval of design specifications.
(e) Cost Considerations and Reporting – Determine how much of the development cost can be attributed to information security over the life cycle of the system. These costs include hardware, software, personnel, and training. Risk mitigation includes conducting a cost-benefit analysis on the recommended controls to determine whether they are cost effective given the likelihood of an incident and the potential impact. Once the controls are selected, the cost of each can be totaled for an overall security cost.
(f) Security Planning – Ensure that the agreed upon security controls, planned or in place, are fully documented. The security plan provides a complete characterization or description of the information system. The IT security plan also provides attachments or references to key documents supporting the agency’s information security program (e.g., configuration management plan, contingency plan, incident response plan, security awareness and training plan, rules of behavior, risk assessment, security test and evaluation results, system interconnection agreements, security authorizations/accreditations, and plan of action and milestones.
(g) Security Control Development and Testing – Ensure that security controls are designed, developed, and implemented. For information systems currently in operation, the security plans for those systems may call for the development of additional security controls to supplement the controls already in place or the modification of selected controls that are deemed less than effective. Ensure that security controls developed for a new information system are working properly and are effective. Some types of security controls (primarily those controls of a non-technical nature) cannot be tested and evaluated until the information system is deployed—these controls are typically management and operational controls.
(3) Implementation Phase
(a) Security Control Integration – Ensure that security controls are integrated at the operational site where the information system is to be deployed for operation. Ensure that security control settings and switches, and network configurations are enabled in accordance with vendor instructions and available security implementation guidance.
(b) Security Certification – Ensure that the controls are effectively implemented through established verification techniques and procedures and give organization officials confidence that the appropriate safeguards and countermeasures are in place to protect the organization’s information system. Security certification also uncovers and describes the known vulnerabilities in the information system. Ensure that there is periodic testing and evaluation of security controls in an information system to ensure that the controls are effectively implemented. The comprehensive evaluation of security control effectiveness through established verification techniques and procedures is a critical activity conducted by NASA or an independent third party on behalf of NASA.
(c) Security Accreditation – Provide the necessary security authorization for the information system to process, store, or transmit information. This authorization is granted by a senior organization official and is based on the verified effectiveness of security controls to some agreed upon level of assurance and an identified residual risk to NASA’s assets or operations. The NASA authorizing official relies primarily on (i) the completed security plan; (ii) the security test and evaluation results; and (iii) the plan of action and milestones for reducing or eliminating information system vulnerabilities, in making the security accreditation decision on whether to authorize operation of the information system and to explicitly accept the residual risk to NASA assets or operations.
(4) Operations and Maintenance
(a) Configuration Management and Control – Ensure adequate consideration of the potential security impacts due to specific changes to an information system or its surrounding environment. Configuration management and configuration control procedures are critical to establishing an initial baseline of hardware, software, and firmware, and applications components for the information system and subsequently controlling and maintaining an accurate inventory of any changes to the system. Documenting information system changes and assessing the potential impact on the security of the system on an on-going basis is an essential and required aspect of maintaining security accreditation.
(b) Continuous Monitoring – Ensure that controls continue to be effective in their application through periodic testing and evaluation. Security control monitoring (i.e., verifying the continued effectiveness of those controls over time) and reporting the security status of the information system to appropriate agency (management) officials is an essential activity of a comprehensive information security program.
(5) Disposal Phase
(a) Information Preservation – Ensure that information is retained, as necessary, to conform to current legal requirements and to accommodate future technology changes that may render the retrieval method obsolete.
(b) Media Sanitization– Ensure the elimination of all data/information, including software, by overwriting or degaussing media with a Center-approved wipe utility
(c) Hardware and Software Disposal – Ensure that hardware and software is disposed of as directed by the information system security officer or NASA established process.
Additional References
Additional information on the system development life cycle can be found in: NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle
1