IBM Cloud Docs
SA-4 (3) - Development Methods, Techniques, and Practices

SA-4 (3) - Development Methods, Techniques, and Practices

Control requirements

SA-4 (3) (a)

Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: [Assignment: organization-defined systems engineering methods].

SA-4 (3) (b)

Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: [Assignment: organization-defined Selection (one or more): systems security; privacy] engineering methods]_.

SA-4 (3) (c)

Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: [Assignment: organization-defined software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes].

NIST supplemental guidance

Following a system development life cycle that includes state-of-the-practice software development methods, systems engineering methods, systems security and privacy engineering methods, and quality control processes helps to reduce the number and severity of latent errors within systems, system components, and system services. Reducing the number and severity of such errors reduces the number of vulnerabilities in those systems, components, and services. Transparency in the methods and techniques that developers select and implement for systems engineering, systems security and privacy engineering, software development, component and system assessments, and quality control processes provides an increased level of assurance in the trustworthiness of the system, system component, or system service being acquired.