CCI-004679

Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service.

Implementation Guidance

Determine if system pre-production environments are protected commensurate with risk throughout the system development life cycle for the system, system component, or system service.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of security and supply chain risk management into the system development life cycle process; system development life cycle documentation; procedures addressing program protection planning; criticality analysis results; security and supply chain risk management strategy/program documentation; system security plan; supply chain risk management plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with security and system life cycle development responsibilities; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Organizational processes for defining and documenting the system development life cycle; organizational processes for identifying system development life cycle roles and responsibilities; organizational process for integrating security risk management into the system development life cycle; mechanisms supporting and/or implementing the system development life cycle].

The controls below (if any) were marked by NIST as being related to CCI-004679.