NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-15Development Process, Standards, and Tools

Require the developer of the system, system component, or system service to follow a documented development process that: Explicitly addresses security and privacy requirements; Identifies the standards and tools used in the development process; Documents the specific tool options and tool configurations used in the development process; and Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and Review the development process, standards, tools, tool options, and tool configurations {{ insert: param, sa-15_odp.01 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ insert: param, sa-15_prm_2 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.

Practitioner Notes

Require developers (internal and vendor) to follow defined development processes, standards, and tools that include security. Ad-hoc development without standards produces inconsistent and insecure results.

Example 1: Establish a development standards document that specifies: approved programming languages, secure coding standards (OWASP, CERT), required development tools (IDE, version control, SAST/DAST tools), and mandatory security activities at each development phase. All development teams, internal and vendor, must follow these standards.

Example 2: In your CI/CD pipeline, enforce standards through automation: linters check coding standards, SAST tools check security, dependency scanners check for vulnerable libraries, and build pipelines enforce branch protection rules. Code that does not meet standards cannot be merged or deployed.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment