Executive Summary
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-64, Security Considerations in the System Development Life Cycle, has been developed to assist federal government agencies in integrating essential information technology (IT) security steps into their established IT system development life cycle (SDLC).
This guideline applies to all federal IT systems other than national security systems. The document is intended as a reference resource rather than as a tutorial and should be used in conjunction with other NIST publications as needed throughout the development of the system.
This publication serves a federal audience of information system and information security professionals, including information system owners, information owners, information system developers and program managers.
To be most effective, information security must be integrated into the SDLC from system inception. Early integration of security in the SDLC enables agencies to maximize return on investment in their security programs, through:
•Early identification and mitigation of security vulnerabilities and misconfigurations, resulting in lower cost of security control implementation and vulnerability mitigation;
• Awareness of potential engineering challenges caused by mandatory security controls;
• Identification of shared security services and reuse of security strategies and tools to reduce development cost and schedule while improving security posture through proven methods and techniques; and
• Facilitation of informed executive decision making through comprehensive risk management in a timely manner.
This guide focuses on the information security components of the SDLC. First, descriptions of the key security roles and responsibilities that are needed in most information system developments are provided. Second, sufficient information about the SDLC is provided to allow a person who is unfamiliar with the SDLC process to understand the relationship between information security and the SDLC.
This document integrates the security steps into the linear, sequential (a.k.a. waterfall) SDLC. The five-step SDLC cited in this document is an example of one method of development and is not intended to mandate this methodology.
Lastly, SP 800-64 provides insight into IT projects and initiatives that are not as clearly defined as SDLC-based developments, such as service-oriented architectures, cross-organization projects, and IT facility developments.
