SA-3(2)

Requirement
1. Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and
2. Protect preproduction environments for the system, system component, or system service at the same impact or classification level as any live data in use within the preproduction environments.

Discussion

Live data is also referred to as operational data. The use of live or operational data in preproduction (i.e., development, test, and integration) environments can result in significant risks to organizations. In addition, the use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Therefore, it is important for the organization to manage any additional risks that may result from the use of live or operational data. Organizations can minimize such risks by using test or dummy data during the design, development, and testing of systems, system components, and system services. Risk assessment techniques may be used to determine if the risk of using live or operational data is acceptable.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of security and privacy into the system development life cycle process; system development life cycle documentation; security risk assessment documentation; privacy impact assessment; privacy risk assessment documentation; system security plan; privacy plan; data mapping documentation; personally identifiable information processing policy; procedures addressing the authority to test with personally identifiable information; procedures addressing the minimization of personally identifiable information used in testing, training, and research; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with information security and privacy responsibility; organizational personnel with system life cycle development responsibilities].

Test

[SELECT FROM: Organizational processes the use of live data in pre-production environments; mechanisms for protecting live data in pre-production environments].

ID	Assessment Objectives
SA-03(02)(a)[01]	the use of live data in pre-production environments is approved for the system, system component, or system service;
SA-03(02)(a)[02]	the use of live data in pre-production environments is documented for the system, system component, or system service;
SA-03(02)(a)[03]	the use of live data in pre-production environments is controlled for the system, system component, or system service;
SA-03(02)(b)	pre-production environments for the system, system component, or system service are protected at the same impact or classification level as any live data in use within the pre-production environments.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!