SP 800-64 (REV. 1), NIST SPECIAL PUBLICATION: SECURITY CONSIDERATIONS IN THE INFORMATION SYSTEM DEVELOPMENT LIFE CYCLE (JUN 2004)

SP 800-64 (REV. 1), NIST SPECIAL PUBLICATION: SECURITY CONSIDERATIONS IN THE INFORMATION SYSTEM DEVELOPMENT LIFE CYCLE (JUN 2004)., Including security early in the information system development life cycle (SDLC) will usually result in less expensive and more effective security than adding it to an operational system. This guide presents a framework for incorporating security into all phases of the SDLC process, from initiation to disposal. This document is a guide to help agencies select and acquire cost-effective security controls by explaining how to include information system security requirements in appropriate phases of the SDLC. A general SDLC is discussed in this guide that includes the following phases: initiation, acquisition/development, implementation, operations/maintenance, and disposition. Each of these five phases includes a minimum set of security steps needed to effectively incorporate security into a system during its development. An organization will either use the general SDLC described in this document or will have developed a tailored SDLC that meets their specific needs. In either case, NIST recommends that organizations incorporate the associated IT security steps of this general SDLC into their development process: