SA-3: System Development Life Cycle

NIST Baseline: Low 

Privacy Baseline:  Yes 

DIR Required By:  07/20/2023 

Review Date:  08/01/2024 

  • All information systems shall be designed, developed, configured, and operated within a security framework that ensures confidentiality, integrity, and availability throughout the information system life cycle.  
  • Information systems shall be acquired, developed, and managed using applicable risk management evaluation practices (similar to those of those of the National Institute of Standards and Technology (NIST) SP 800-37 framework) that incorporates information security and privacy considerations.  Regardless of the framework adopted, the following steps should be included: 
    • Define and document information security and privacy roles and responsibilities throughout the system development life cycle; 
    • Identify individuals having information security and privacy roles and responsibilities; and 
    • Integrate the organizational information security and privacy risk management process into system development life cycle activities. 
  • The Tarleton State University Chief Information Security Officer (CISO), or their designee, in coordination with information resource owners, is responsible for reviewing the data security requirements and specifications of any new or updated/modified information systems or services that process and/or store sensitive or high-impact information. 
    • Third-party security and privacy documentation, like a vendor’s provided Higher Education Community Vendor Assessment Toolkit (HECVAT), can be important documentation for the Tarleton CISO and/or Office of Innovative Technology Solutions (OITS) – Security Team to review during the software and/or information resource procurement and/or renewal process to help ensure data security requirements are met. 
  • The unit head or information resource owner of an information resource shall: 
    • Approve and document that the information system is operationally secure and acceptable for use; and 
    • Ensure that lifecycle activities are documented and maintained. 

References/Additional Resources

OMB A-130 

SP 800-30 

SP 800-37 

SP 800-160-1 

SP 800-171 

SP 800-172 

NIST SP 800-37