Acquisition and Development Phase

In the previous phase (Initiation), system characterization was done, an impact category was assigned, the risk assessment process began with impact assessments and some general security requirements should have defined.

Risk Management is at the core of this phase. It begins with assessing risk and laying the foundation for defining security requirements in the following steps:

  • Risk Assessment
    • Threat Identification
    • Vulnerability Identification
    • Risk Analysis
    • Control Recommendations
    • Documentation
  • Risk Mitigation – security controls that mitigate risk
    • Baseline of controls (selected by impact category in the previous phase)
    • Tailoring of controls
    • Supplementing controls

fitting pieces together

fitting pieces together

  • Security Plan
  • The phase continues with Security Planning, which is the process of documenting the requirements for security protection as they are being developed or changed. This began in the last phase and continues in this phase with the same key areas:

    • Inventory/Asset Management (I/AM)
    • Site Security Plan (SSP)
    • Risk Assessment (RA)
    • Configuration Management (CM)

There are other parts and components of security planning that are not listed above. (for more in depth information, visit the Security Planning section)

The next phase is Implementation, where controls are put into action and tested and the process of authorization (known as C&A) takes place.

Leave a Reply

You must be logged in to post a comment.