Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Security Considerations in the Information System Development Life Cycle

Published

Author(s)

Timothy Grance, Joan Hash, Marc Stevens

Abstract

[Superseded by SP 800-64 Rev. 1 (June 2004): http://www.nist.gov/manuscript-publication-search.cfm?pub_id=151285] The need to provide protection for federal information systems has been present since computers were first used. Including security early in the acquisition process for an information system will usually result in less expensive and more effective security than adding it to an operational system once it has entered service. This guide presents a framework for incorporating security into all phases of the information system development life cycle (SDLC) process, from initiation to disposal. This document is a guide to help organizations select and acquire cost-effective security controls by explaining how to include information system security requirements in the SDLC.Five phases of a general SDLC are discussed in this guide and include the following phases: initiation, acquisition/development, implementation, operations/maintenance, and disposition. Each of these five phases includes a minimum set of security steps needed to effectively incorporate security into a system during its development. An organization will either use the general SDLC described in this document or will have developed a tailored SDLC that meets their specific needs. In either case, NIST recommends that organizations incorporate the associated IT security steps of this general SDLC into their own development process.
Citation
Special Publication (NIST SP) - 800-64
Report Number
800-64

Keywords

acquisition, computer security, life cycle, procurement, request for proposal, requirement, Software Development Life Cycle (SDLC), specification, statement of work

Citation

Grance, T. , Hash, J. and Stevens, M. (2003), Security Considerations in the Information System Development Life Cycle, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.800-64 (Accessed December 13, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created October 10, 2003, Updated November 10, 2018