In this course, we discussed the System Development Life Cycle, SDLC, as part of the risk management process. First, let's start with NIST special publication 800-64, the security considerations into system development life cycle. This has been withdrawn and includes content that is out of date. You will, however, still find it as a resource, even though it's outdated. We're going to refer instead to the NIST special publication 800-160 Volume 1, which has the current information about the system lifecycle process and system security engineering. NIST intended to develop a white paper that describes how the risk management framework, special publication 800-37 relates to the system development lifecycle process, and stages but has not released it yet. Everything has a lifecycle from cradle to grave. These would be the stages in 800-160 Volume 1, which support the processes outlined here on the screen. These processes are what we consider when implementing the NIST 800-37 risk management framework. If you follow this screen, the system lifecycle processes are on the left, and the lifecycle stages are on the right. You'll see the lifecycle stages are similar to the old lifecycle stages in 800-64. You have your concept, development, production, utilization support, and then retirement. The stages from cradle to grave, 800-160 goes a little bit further than 800-64 did, 800-160 adds the processes which are agreement process, organizational project enabling process, technical management processes, and the technical processes. Which could be conducted at any lifecycle stage, either recursive, iterative, concurrent, parallel, or sequenced in execution. System security engineering activities and tasks are grounded in security and trust principles and concepts and leverage the principal concepts terms, and practices of system engineering to facilitate consistency in their application as part of the system engineering effort. The system lifecycle processes are not intended to be dictatorial in their execution and don't map explicitly to specific stages in the system life cycle. Instead, these processes are conducted as needed to achieve specific system engineering objectives. By design, the processes can be applied at any stage or level in the structural hierarchy of a system. The processes are intended to be tailored in their application, providing the needed flexibility and agility for optimized and efficient use across a wide variety of system engineering efforts, supporting diverse stakeholder communities of interest and sectors. System types, technologies, and trustworthiness objectives are also considered. Each lifecycle process description has a purpose, an outcome, activities, and tasks. The purpose section identifies the primary goals and objectives of the process and provides a summary of the security focus activities conducted during the process. The outcome section describes the security-focused outcomes achieved by the completion of the process and the data generated by the process. Finally, the activities and tasks section provides a description of the security-oriented work performed during the process, including the security focus enhancements to the activities and the tasks. This screen shows you the IDs and naming convention established for the system development processes under NIST 800-160. The naming convention is established for the system lifecycle processes. Each process is identified by a two-character designation. For example, AQ is the official designation for the acquisition process. BA is the official designation for the business or mission analysis process, etc. The system engineering execution of lifecycle processes occurs throughout the lifecycle of the system. However, the Systems Engineering objectives for the operation, OP, maintenance, MA, and disposal DS, processes are not supposed to be used as the checklist for the day-to-day operations, maintenance or disposal activities of an organization. On this screen, what I've done is I've overlaid the risk management framework to the NIST 800-160 system development lifecycle, as well as show you the old 800-64 system development lifecycle process to give these process some contexts. You see the NIST 800-160 SDLC in the blue text, showing you the concept, development, production, utilization, and support, and retirement. The old SDLC 800-64 is the initiation, development and acquisition, implementation, operations and maintenance, and disposal, and then the risk management framework, which is in black and it shows you the categorization and "select" under the concept or initiation. The "select" under the development, which is the old development and acquisition, and then the implement access and authorized, all that happens under the 800-160 production phase, which is the old implement, and then the monitor, which falls under the utilization and support for 800-160, considered as the old operation and maintenance and then the monitor, which is part of the retirement phase in the SDLC process and disposal. We monitor the system all the way up until the time period that it is retired. In This Course, we discussed the NIST 800-160 Volume 1, System Development Life Cycle, the purpose, outcome, activities, and tasks, how to identify the processes and the respective designations, and show the comparison of the risk management framework, 800-160 and the old 800-64 system development lifecycle.
