NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-4(3) — Development Methods, Techniques, and Practices
Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: {{ insert: param, sa-04.03_odp.01 }}; {{ insert: param, sa-04.03_odp.02 }} ; and {{ insert: param, sa-04.03_odp.05 }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Following a system development life cycle that includes state-of-the-practice software development methods, systems engineering methods, systems security and privacy engineering methods, and quality control processes helps to reduce the number and severity of latent errors within systems, system components, and system services. Reducing the number and severity of such errors reduces the number of vulnerabilities in those systems, components, and services. Transparency in the methods and techniques that developers select and implement for systems engineering, systems security and privacy engineering, software development, component and system assessments, and quality control processes provides an increased level of assurance in the trustworthiness of the system, system component, or system service being acquired.
Practitioner Notes
Require vendors to use recognized secure development methods, techniques, and practices when building the products and services you acquire. How they build is as important as what they build.
Example 1: In your RFPs, require vendors to describe their SDLC security practices: do they use secure coding standards (OWASP, CERT), perform code reviews, conduct static and dynamic analysis, and do penetration testing before releases? Vendors who cannot articulate their development security practices are a higher risk.
Example 2: Require vendors to attest to compliance with frameworks like NIST SSDF (Secure Software Development Framework) or demonstrate adherence to OWASP SAMM (Software Assurance Maturity Model). Ask for evidence: SAST/DAST scan reports, code review records, or third-party audit results.