Definition of Security Requirements for Software Development, v1.1
Specifies requirements in accordance with NIST Secure Software Development Framework (SSDF), version 1.1, Practice PO.1: Definition of Security Requirements for Software Development. Requires an organization to ensure that security requirements for software development are known at all times so that they can be taken into account throughout the SDLC and duplication of effort can be minimized because the requirements information can be collected once and shared. This includes requirements from internal sources (e.g., the organization's policies, business objectives, and risk management strategy) and external sources (e.g., applicable laws and regulations).
Assessment Steps (3)
|
1
SDLC Security Requirements for Software Development (SDLCSecurityRequirementsforSoftwareDevelopment)
Does the organization identify and document all security requirements for its software development infrastructures and processes, and maintain the requirements over time?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
|
2
SDLC Security Requirements for Organization-Developed Software (SDLCSecurityRequirementsforOrganization-DevelopedSoftware)
Does the organization identify and document all security requirements for organization-developed software to meet, and maintain the requirements over time?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
|
3
Communication of SDLC Security Requirements to Third-Party Software Vendors (CommunicationofSDLCSecurityRequirementstoThird-PartySoftwareVendors)
Does the organization communicate requirements to all third parties who will provide commercial software components to the organization for reuse by the organization's own software?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
Conformance Criteria (3)
|
SDLC Security Requirements for Software Development
The organization must identify and document all security requirements for its software development infrastructures and processes, and maintain the requirements over time.
Citation
SSDF
Task PO.1.1
|
|
SDLC Security Requirements for Organization-Developed Software
The organization must identify and document all security requirements for organization-developed software to meet, and maintain the requirements over time.
Citation
SSDF
Task PO.1.2
|
|
Communication of SDLC Security Requirements to Third-Party Software Vendors
The organization must communicate requirements to all third parties who will provide commercial software components to the organization for reuse by the organization's own software.
Citation
SSDF
Task PO.1.3
|