The SDLC methodology provides a structured approach to managing IT projects. It also allows introduction of IT security planning, including budgeting, review, and oversight. The SDLC process begins when the Program Authorization decision (discussed in Section 3.2) within a CPIC determines that an IT project should be initiated.
There are eight distinct phases in the SDLC as depicted in the figure below:
Process SDLC
a. Components shall ensure that system security is integrated into all phases of the System Development Life Cycle (SDLC).
b. Components shall ensure that security requirements for sensitive IT systems are incorporated into
DHS Policy life-cycle documentation.
c. All custom developed code shall be reviewed, approved and signed by the Program Manager prior to deployment into production environments. The Program Manager may delegate this authority to another DHS employee in writing. This authority shall not be delegated to contractor personnel.
SDLC responsibilities are provided below.
SDLC Responsibilities CIO
• Defines and promulgates the DHS SDLC process.
• Ensures that IT security life cycle planning is integrated into DHS capital planning and investment control process.
CISO
• Ensures that IT security requirements are included in the DHS SDLC.
• Oversees proper implementation of security controls in system development.
ISSMs
• Establish procedures for reviewing compliance with SDLC documentation requirements.
• Participate in capital planning and investment management meetings involving SDLC considerations for IT systems and networks.
• Ensure that required IT security documentation is produced and reviewed in accordance with SDLC milestones.
• Approve IT security documentation produced as part of the SDLC process (except the C&A package).
ISSOs
• Participate in planning and executing the SDLC process.
• Provide IT security expertise to system development teams.
• Review and comment on all SDLC security documents.
System Owners/IT Project Managers
• Ensure required security documents and reviews are included in the SDLC.
• Ensure that adequate funding is available for implementation of security requirements.
• Prepare required security documents.
3.6.1 Planning
The Planning Phase defines the system concept from the user’s perspective and establishes a comprehensive plan for developing the system. IT security activities include the following:
• Preparation of the initial Risk Assessment and Security Plan.
• Ensuring that adequate budgetary resources for IT security requirements are available.
3.6.2 Requirements Definition
During the Requirements Definition Phase, users and technical staff define detailed requirements to ensure that the system will meet user requirements. This results in the establishment of a Functional Baseline. IT security activities include:
• Updating the Risk Assessment and Security Plan
• Reviewing IT Baseline Security Requirements (DHS 4300A Attachment A)
• Reviewing IT Security budget requirements
• Preparing the initial security inputs to the IT Training Plan
• Preparing the initial Contingency Plan.
3.6.3 Design
The system development then moves to the Design Phase, during which the requirements are transformed into detailed design specifications. During the Design Phase, an Allocated Baseline is established and documented in the System Design Document. IT security activities include the following:
• Updating the Risk Assessment and Security Plan
• Reviewing budget requirements
• Updating the security information in the IT Training Plan
• Updating the Contingency Plan
• Preparing the initial Certification and Accreditation (C&A) package.
3.6.4 Development
After formal approval of the design, the IT project enters the Development Phase. During this phase, the development team builds the system according to the design specified during the Design Phase and conducts development testing. The Development Phase represents an iterative process during which the development team builds the system, tests the system build, modifies the system based on any problems identified during Development Testing, and then tests the modified system build. IT security activities include the following:
• Conducting the initial Developmental Security Test and Evaluation (ST&E)
• Updating the Risk Assessment and Security Plan
• Developing the initial Operational ST&E
• Reviewing budget requirements
• Updating the C&A package.
3.6.5 Test
When the developed system is fully functional and has successfully passed Development Testing, the system development project moves into the Test Phase. During this phase,
Independent Testing and Evaluation is conducted to ensure that the developed system functions properly, satisfies the requirements (including security requirements) developed in the
Requirements Definition Phase, and performs adequately in the host environment. IT security activities include:
• Conducting formal Developmental ST&E
• Reviewing budget requirements
• Updating the Risk Assessment and Security Plan
• Updating the C&A package.
3.6.6 Implementation
The system development project enters the Implementation Phase after the system has
successfully passed testing and is ready for deployment. The output of this phase is the Product Baseline, which consists of the production system, databases, an updated data dictionary, associated infrastructure, and supporting documentation. During this phase the system is deployed to designated production sites. IT security activities include the following:
• Conducting the Operational ST&E on upgraded or new systems
• Reviewing adequacy of budget requirements
• Finalizing the security inputs in the IT Training Plans
• Updating the Risk Assessment and Security Plan
• Finalizing the Certification and Accreditation (C&A) package.
3.6.7 Operations and Maintenance
After the system has been successfully deployed, it enters the Operations and Maintenance (O&M) Phase. During this phase, the system becomes operational and any necessary system modifications are identified and documented as “System Change Requests.” These changes must be formally approved before they can be implemented. IT security activities include the following:
• Reviewing C&A status and maintaining the currency of the C&A documentation
• Conducting annual user security awareness training and role-based training (e.g., training for ISSOs, DAAs, network and system administrators, managers)
• Maintaining adequate budgetary resources.
3.6.8 Disposition
Finally, the system is retired from the operational environment during the Disposition Phase.
Activities during this phase involve:
• Terminating system operations
• Removing the system from the production environment
• Archiving the system components, data, and documentation
• Disposing of equipment and media in accordance with security requirements.