The organization:
-
a: Requires the developer of the information system, system component, or information system service to follow a documented development process that:
-
1: Explicitly addresses security requirements;
-
2: Identifies the standards and tools used in the development process;
-
3: Documents the specific tool options and tool configurations used in the development process; and
-
4: Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
-
b: Reviews the development process, standards, tools, and tool options/configurations [organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [organization-defined security requirements].
Supplemental
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes.