{"id":1802,"date":"2024-08-06T18:53:25","date_gmt":"2024-08-06T18:53:25","guid":{"rendered":"https:\/\/www.tarleton.edu\/security-controls-catalog\/?page_id=1802"},"modified":"2025-02-12T18:57:26","modified_gmt":"2025-02-12T18:57:26","slug":"sa-3-system-development-life-cycle","status":"publish","type":"page","link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/system-and-services-acquisition-sa\/sa-3-system-development-life-cycle\/","title":{"rendered":"SA-3: System Development Life Cycle"},"content":{"rendered":"\n<h1 class=\"wp-block-heading has-large-font-size\">SA-3: System Development Life Cycle<\/h1>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>NIST Baseline: <\/strong>Low&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>Privacy Baseline: &nbsp;<\/strong>Yes&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>DIR Required By:<\/strong> &nbsp;07\/20\/2023&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>Review Date: \u00a0<\/strong>02\/12\/2025<\/h2>\n\n\n\n<ul class=\"wp-block-list its-nested-list\">\n<li>All information systems shall be designed, developed, configured, and operated within a security framework that ensures confidentiality, integrity, and availability throughout the information system life cycle. &nbsp;<\/li>\n\n\n\n<li>Information systems shall be acquired, developed, and managed using applicable risk management evaluation practices (similar to those of those of the <a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/37\/r2\/final\" target=\"_blank\" rel=\"noreferrer noopener\">National Institute of Standards and Technology (NIST) SP 800-37<\/a> framework) that incorporates information security and privacy considerations. &nbsp;Regardless of the framework adopted, the following steps should be included:&nbsp;\n<ul class=\"wp-block-list\">\n<li>Define and document information security and privacy roles and responsibilities throughout the system development life cycle;&nbsp;<\/li>\n\n\n\n<li>Identify individuals having information security and privacy roles and responsibilities; and&nbsp;<\/li>\n\n\n\n<li>Integrate the organizational information security and privacy risk management process into system development life cycle activities.&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>The Tarleton State University Chief Information Security Officer (CISO), or their designee, in coordination with information resource owners, is responsible for reviewing the data security requirements and specifications of any new or updated\/modified information systems or services that process and\/or store sensitive or high-impact information.&nbsp;\n<ul class=\"wp-block-list\">\n<li>Third-party security and privacy documentation, like a vendor\u2019s provided <a href=\"https:\/\/www.educause.edu\/higher-education-community-vendor-assessment-toolkit\" target=\"_blank\" rel=\"noreferrer noopener\">Higher Education Community Vendor Assessment Toolkit (HECVAT)<\/a>, can be important documentation for the Tarleton CISO and\/or Office of Innovative Technology Solutions (OITS) &#8211; Security Team to review during the software and\/or information resource procurement and\/or renewal process to help ensure data security requirements are met.\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>The unit head or information resource owner of an information resource shall:&nbsp;\n<ul class=\"wp-block-list\">\n<li>Approve and document that the information system is operationally secure and acceptable for use; and&nbsp;<\/li>\n\n\n\n<li>Ensure that lifecycle activities are documented and maintained.&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>References\/Additional Resources<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A130\/a130revised.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">OMB A-130<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-30r1\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-30<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-37r2\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-37<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v1\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-160-1<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-171r2\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-171<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-172-draft\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-172<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/37\/r2\/final\" target=\"_blank\" rel=\"noreferrer noopener\">NIST SP 800-37<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SA-3: System Development Life Cycle NIST Baseline: Low&nbsp; Privacy Baseline: &nbsp;Yes&nbsp; DIR Required By: &nbsp;07\/20\/2023&nbsp; Review Date: \u00a002\/12\/2025 References\/Additional Resources OMB A-130&nbsp; SP 800-30&nbsp; SP 800-37&nbsp; SP 800-160-1&nbsp; SP 800-171&nbsp; &#8230;<\/p>\n","protected":false},"author":1,"featured_media":580,"parent":1975,"menu_order":3,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","footnotes":""},"class_list":["post-1802","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"coauthors":[],"author_meta":{"author_link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/author\/brian-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-3\/","display_name":"brian"},"relative_dates":{"created":"Posted 2 years ago","modified":"Updated 1 year ago"},"absolute_dates":{"created":"Posted on August 6, 2024","modified":"Updated on February 12, 2025"},"absolute_dates_time":{"created":"Posted on August 6, 2024 6:53 pm","modified":"Updated on February 12, 2025 6:57 pm"},"featured_img_caption":"","featured_img":false,"series_order":"","_links":{"self":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1802","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/comments?post=1802"}],"version-history":[{"count":1,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1802\/revisions"}],"predecessor-version":[{"id":2649,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1802\/revisions\/2649"}],"up":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1975"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/media?parent=1802"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}