Information security should be considered throughout the life of the information system, including development, programming, configuration, or operational changes and modifications.


  • The unit head or information resource owner is responsible for ensuring that all requirements of this Control are substantiated and maintained throughout the life cycle of an information system.


  • 1

    All information systems shall be designed, developed, configured, and operated within a security framework that ensures the confidentiality, integrity and availability throughout the information system life cycle.

    • 1.1

      All information systems, whether developed, acquired, or contracted either in house or by a third-party, shall implement a recognized risk mitigation framework such as NIST 800-37 rev. 1.

    • 1.2

      Regardless of the framework adopted, the following steps shall be addressed:

      • 1.2.1

        Information security roles and responsibilities are defined and documented throughout the system development life cycle;

      • 1.2.2

        Individuals having information security roles and responsibilities are identified;

      • 1.2.3

        Applied security controls shall be based on the classification of data that is stored or processed by the software or information system;

      • 1.2.4

        Risk management must be fully integrated into the life cycle from conception to development to operation and then finally to disposition; and

      • 1.2.5

        Units shall ensure that lifecycle activities are documented and that the documentation is maintained.

    • 1.3

      Assessment of information security risk, security testing, and audit controls shall be included in all phases of the system development life cycle or acquisition process to produce the desired outcome with respect to meeting the security requirements for the system.

    • 1.4

      The unit head or information resource owner of an information resource shall approve and document that the information system is operationally secure and acceptable for use.

    • 1.5

      Security reviews shall be conducted when an information system has been modified or updated to ensure that the security posture of the information system has not been compromised.

  • (This control replaces the previous SAP 29.01.03.M1.21 Security Life Cycle for Information Systems)