| 2.3.12-9-1 Ensure the contractor's Security implementation processes for the program are documented, complete, correct, effective for the Security application, efficient, and followed |
Phase B |
Phase C |
Phase D1 |
Phase D3 |
|
Ensure program processes for Security implementation exist, that they are documented and updated when necessary, that they are correct and complete, and that they are effective for the Security application and efficient. Ensure that the Contractor's Secure Development Standard is followed and that the software is compliant with it and that all software is compliant with the DISA Application Security & Development Security Technical Implementation Guide (STIG). Ensure that developers know and follow the processes. Ensure the implementation processes address all categories of Security (newly developed code, reuse code (unmodified and modified), open source code, COTS, and GOTS). Ensure the processes address both initial coding and subsequent modifications. Ensure the processes are consistent with all required specifications, standards, and constraints. Ensure processes for code analyses are included for automated structure analysis, static analysis, dynamic analysis, complexity analysis, and analyses for memory leaks, vulnerabilities, type mismatches, and dead code. Ensure the processes include criteria for determining when a specific code analysis is appropriate. Ensure the processes require code peer reviews for all new and modified reuse and open source code. Ensure the type of peer reviews required are consistent with the type and criticality of the Security item and that the peer reviews and code analyses enforce the coding standards and practices. Ensure that any tailoring of corporate Security implementation processes is appropriate for the program. Ensure the contractor's code development tools are adequate and support the implementation processes.
|
NA
|
NA
|
National Institute of Standards and Technology (NIST) SP-800-64, Security Considerations in the System Development Life Cycle; Open Web Application Security Project (OWASP) Software Assurance Maturity Model - A Guide to Building Security into Software Development; Defense Information Systems Agency (DISA) Network Security Technical Information Guides (STIGs)
|
| 2.3.12-9-2 Ensure the contractor's Security coding standards, practices, procedures, and conventions are documented, complete, correct, effective for the Security application, efficient, and followed |
Phase B |
Phase C |
Phase D1 |
Phase D3 |
|
Ensure coding standards, practices, procedures, and conventions exist, that they are documented and updated when necessary, that they are relevant, correct, and complete, and that they are effective. Ensure that developers know and follow the coding standards, practices, procedures, and conventions. Ensure coding standards, practices, procedures, and conventions exist for all languages in use on the program and all types of code (newly developed, unmodified reuse and open source, modified reuse and open source). Ensure the coding standards, practices, procedures, and conventions enforce dependability and Cybersecurity requirements via allowed types of constructs that avoid mistakes by programmers and insertions of vulnerabilities. Ensure the coding standards, practices, procedures, and conventions are consistent with industry best practices. Ensure the coding standards, practices, procedures, and conventions are enforced on the program by peer reviews and code analyses. Ensure the coding standards, practices, procedures, and conventions include government, commercial and international standards as appropriate for the program's contract, scope, and constraints.
|
NA
|
NA
|
National Institute of Standards and Technology (NIST) SP-800-64, Security Considerations in the System Development Life Cycle; Open Web Application Security Project (OWASP) Software Assurance Maturity Model - A Guide to Building Security into Software Development
|
| 2.3.12-9-3 Ensure the code (newly developed, reuse, open source, modified reuse and open source) meets Security standards |
Phase B |
Phase C |
Phase D1 |
Phase D3 |
|
Ensure all code required by the architecture and design has been developed, obtained or modified (including reuse or open source code, modified reuse or open source code, newly developed code, and application program interfaces (APIs) for COTS, GOTS, reuse, and open source code) and that the code is consistent with the architecture and design. Ensure that the code for each design unit is complete. Ensure that interface code adheres to the interface design or required Interface Control Document (ICD). Ensure that the code was correctly implemented or modified. Ensure that an appropriate type of peer review was held for each code unit and that action items from the peer reviews were closed. Ensure that the program's implementation processes were followed for all types of code. Ensure that all changes to code adhere to these same criteria.
|
NA
|
NA
|
National Institute of Standards and Technology (NIST) SP-800-64, Security Considerations in the System Development Life Cycle; Open Web Application Security Project (OWASP) Software Assurance Maturity Model - A Guide to Building Security into Software Development
|
| 2.3.12-9-4 Ensure all reuse, COTS, GOTS, and open source security code selected during implementation meets the program's established evaluation criteria |
Phase B |
Phase C |
Phase D1 |
Phase D3 |
|
Ensure the justification for the use of any legacy, reuse, COTS, GOTS, open source, and other non-developmental item (NDI) Security selected during implementation is documented, complete, up to date, and contains sufficient detail to support the use of said product. Ensure that the documented justifications were based on a robust set of evaluation criteria. Ensure the selected legacy, reuse, open source, COTS, GOTS, and other NDI Security have a track record for dependability. Ensure the adequacy of the selection in terms of: ability to provide required capabilities and meet required constraints; ability to provide required protection (safety, security, and privacy); reliability/maturity; testability; operability; Security supplier viability; suitability for incorporation into the new system architecture; ability to remove or disable features and capabilities not required in the new system, interoperability with other system and system-external elements; availability of personnel knowledgeable about the reusable Security product; availability and quality of documentation and source files; acceptability of reusable Security product licensing and data rights; supportability; ability to make changes; impacts of upgrades to legacy, reuse, open source, COTS, GOTS, or other NDI Security products; compatibility of planned upgrades of legacy, reuse, open source, COTS, GOTS, or other NDI Security products with Security development plans and schedules; criticality of the functionality provided by the legacy, reuse, open source, COTS, GOTS, or other NDI Security products; short- and long-term cost impacts of using the legacy, reuse, open source, COTS, GOTS, or other NDI Security products; technical, cost, and schedule risks and tradeoffs in using the legacy, reuse, open source, COTS, GOTS, or other NDI Security products. whether to incorporate any available upgrades.
|
NA
|
NA
|
National Institute of Standards and Technology (NIST) SP-800-64, Security Considerations in the System Development Life Cycle; Open Web Application Security Project (OWASP) Software Assurance Maturity Model - A Guide to Building Security into Software Development
|
| 2.3.12-9-5 Ensure the correctness and completeness of the bidirectional traceability between the Security code and Security requirements and between the Security code units and the Security design units |
Phase B |
Phase C |
Phase D1 |
Phase D3 |
|
Ensure the bidirectional traceability between Security implementation units (including newly developed, reuse, open source, modified reuse, and modified open source, COTS, and GOTS Security) and their allocated Security requirements (including Security interface requirements) is complete and correct. Ensure that all Security requirements, including Security interface requirements, are traced to at least one implementation unit and that the collection of implementation units to which each requirement is traced will actually satisfy the requirement. Ensure that all implementation units are traced to one or more Security requirements, including Security interface requirements, or are derived from documented design decisions and are traced to those decisions. Ensure that the bidirectional traceability between the design units and the implementation units is complete and correct. Ensure that all design units are traced to at least one implementation unit and that the collection of implementation units to which the design unit is traced will actually implement the design documented by the design unit. Ensure that all implementation units are traced to at least one design unit.
|
NA
|
NA
|
National Institute of Standards and Technology (NIST) SP-800-64, Security Considerations in the System Development Life Cycle; Open Web Application Security Project (OWASP) Software Assurance Maturity Model - A Guide to Building Security into Software Development
|
| 2.3.12-9-6 Ensure contractor code peer reviews are attended by qualified contractor personnel and if allowed by contractor processes, qualified oversight personnel and that the peer reviews are effective and follow the program's peer review processes |
Phase B |
Phase C |
Phase D1 |
Phase D3 |
|
Ensure each contractor code peer review identified the required and desired personnel, that the required personnel are appropriately qualified, and that the peer review is not held without the presence of all required personnel. Ensure that the appropriate type of peer review is held for each code unit. Ensure that qualified oversight organization personnel participate in contractor peer reviews, on a sampling basis, as long as the contractor's internal processes allow for such participation or such participation is required by the contract. Ensure that all attendees, contractor or oversight, spend an adequate amount of time preparing for the peer review and that they participate in the peer review by identifying problems or issues. Ensure that the peer reviews evaluate the code against criteria established prior to the peer review meeting (e.g., established code peer review checklists). Ensure that all action items, whether initiated by contractor or oversight personnel, are captured and tracked to closure. Ensure that Security quality assurance personnel participate in the peer reviews, on a sampling basis if necessary, and that they review the peer reviews for adherence to the peer review process and review the code for adherence to the program's coding standards, practices, procedures, and conventions. Ensure that any dependencies of mission-critical functions on the non-developmental code have been identified. Ensure that the impact on system Security requirements and performance parameters has been determined and documented. Ensure that any adverse effects are addressed and mitigations identified.
|
NA
|
NA
|
National Institute of Standards and Technology (NIST) SP-800-64, Security Considerations in the System Development Life Cycle; Open Web Application Security Project (OWASP) Software Assurance Maturity Model - A Guide to Building Security into Software Development
|
| 2.3.12-9-7 Ensure code analyses are performed to identify incomplete or missing data input validation, memory leaks, vulnerabilities, type mismatches and other common Security defects, and dead code |
Phase B |
Phase C |
Phase D1 |
Phase D3 |
|
Ensure the contractor has performed code analysis for common Security defects, such as memory leaks, buffer overflow conditions, type mismatches, dead code, et al., using automated structure analysis, static analysis, dynamic analysis, and complexity analysis, as appropriate. Ensure that all problems and issues found by these analyses have been documented as discrepancy reports or action items. Ensure that all discrepancy reports and action items generated by these code analyses are tracked to closure. Ensure that all identified vulnerabilities have been documented and adequate risk mitigation plans have been developed and are being successfully implemented, and are tracked to closure.
|
NA
|
NA
|
National Institute of Standards and Technology (NIST) SP-800-64, Security Considerations in the System Development Life Cycle; Open Web Application Security Project (OWASP) Software Assurance Maturity Model - A Guide to Building Security into Software Development
|
| 2.3.12-9-8 Ensure all Cybersecurity mechanisms are completely and accurately tested |
Phase B |
Phase C |
Phase D1 |
Phase D3 |
|
Ensure for each Cybersecurity mechanism a test is defined. Ensure that for each relevant mechanism there is a test scenario, test cases, and detailed test scripts. Ensure that the test scripts identify initial conditions, inputs, and expected results. Ensure that the testing of each mechanism completely and accurately exercises the defined functions. Ensure that both positive and negative testing, as appropriate, are performed. Ensure that the observed results are consistent with the expected results.
|
NA
|
NA
|
National Institute of Standards and Technology (NIST) SP-800-64, Security Considerations in the System Development Life Cycle; Open Web Application Security Project (OWASP) Software Assurance Maturity Model - A Guide to Building Security into Software Development
|