SA-4(3)

  • Requirement

    Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes:

    1. [Assignment: organization-defined systems engineering methods];
    2. organization-defined [Selection (one or more): systems security; privacy<#:assign> engineering methods]; and
    3. [Assignment: organization-defined software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes].
  • Discussion

    Following a system development life cycle that includes state-of-the-practice software development methods, systems engineering methods, systems security and privacy engineering methods, and quality control processes helps to reduce the number and severity of latent errors within systems, system components, and system services. Reducing the number and severity of such errors reduces the number of vulnerabilities in those systems, components, and services. Transparency in the methods and techniques that developers select and implement for systems engineering, systems security and privacy engineering, software development, component and system assessments, and quality control processes provides an increased level of assurance in the trustworthiness of the system, system component, or system service being acquired.

More Info

  • Title

    Acquisition Process | Development Methods, Techniques, and Practices
  • Family

    System and Services Acquisition
  • NIST 800-53B Baseline(s)

    • Related NIST 800-53 ID

    NIST 800-53A Assessment Guidance

    CMMC Training

    Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!