NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-15(6)Continuous Improvement

Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Developers of systems, system components, and system services consider the effectiveness and efficiency of their development processes for meeting quality objectives and addressing the security and privacy capabilities in current threat environments.

Practitioner Notes

Continuously improve your development process by learning from security findings, incidents, and industry best practices. The development process should get more secure over time, not stay static.

Example 1: After each release, conduct a security retrospective that reviews: what security findings were discovered during development, how long they took to fix, whether any escaped to production, and what process improvements would prevent similar issues in the future. Implement the improvements in the next sprint.

Example 2: Track your security metrics over time and set improvement targets. If you found 50 high-severity issues per release last year, target 30 this year through improved training, better tools, and earlier security reviews. Celebrate improvements and investigate regressions.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment