This BSP also supports the goals of PDD-63 by ensuring that appropriate security controls are in place for every automated system.

Post this contact information with the publicly accessible BSP.

• Jack Garnish
  Social Security Administration, Office of Financial Policy and Operations, Office of Information Systems Security
  6401 Security Blvd, Baltimore, MD 21235
  Telephone: 410-965-2765
  Fax: 410-966-0527
  E-mail: jack.garnish@ssa.gov

• Staff contact: Laurie Peiser ( laurie.peiser@ssa.gov ), 410-965-0278

Vendor Partner:

• None

The systems development lifecycle breaks the systems development process down into phases during which discrete systems products are developed. This approach to systems development leads to well documented systems that are easier to test and maintain, and for which an organization can have confidence that the system's functions will be fulfilled with a minimum of unforeseen problems.

• SSA Systems Security Handbook Release 5.0, Chapter 6: Integrating Computer Security Into the Systems Lifecycle

• Sample language that can be used as a model in developing language for manuals/instructions used by systems designers throughout the SDLC

• Study your agency’s software development process. Obtain copies of the materials used by systems design and development during the SDLC. Talk to your systems development staff about how the process works. Develop some ideas of how you think security can be integrated into this process.
• Think about the security structure at your agency. Is it highly centralized, or do you have a decentralized structure with security officers throughout the agency whose expertise can be used in integrating security into the SDLC? Your security structure will influence the details of the process that you implement.
• Meet with your management. Discuss the reasons why integrating security into the SDLC will benefit your agency.
• Meet with systems staff to discuss the details of how best to integrate security into your agency's SDLC.
• Develop a draft policy. Work with systems staff on the integration of procedures into the SDLC documentation that will support this policy.
• Continue to work with your system’s staff to keep your policy up-to-date, and to keep pace with changes in your systems development lifecycle. Remember that this is an iterative process that will evolve as conditions change in your Agency.

To work properly, this implementation has to be a cooperative venture between security and systems personnel. Keep those contacts open.

A formal security plan is required by the Computer Security Act of 1987 for all systems containing sensitive information. At SSA, we have a Sensitive Systems Security Plans and Certification program that operates in parallel to the security in the SDLC process. Depending on your Agency needs, you may want to make sensitive system planning a part of your SDLC. We recommend the following references:

Computer Security Act of 1987, P.L. 100-235 (1988)

Office of Management and Budget (OMB) Circular No. A-130, "Management of Federal Information Resources"

NIST Special Publication No. 800-18, "Guide for Developing Security Plans for Information Technology Systems" dated December 1998.

Integrating security into the systems development lifecycle is important for the following reasons:

· It is more effective.  Meaningful security is easier to achieve when security issues are considered as a part of a routine development process, and security safeguards are integrated into the system during its design.

· It is less expensive.  To retrofit security is generally more expensive than to integrate it into an application.

· It is less obtrusive.  When security safeguards are integral to a system, they are usually easier to use and less visible to the user.

SPEC PUB 500-153, Guide to Auditing for Controls and Security: A System Development Life Cycle Approach, April 1988

SPEC PUB 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996