The System Development Life Cycle And The Risk Management Framework

1301 Words6 Pages
A Comparison of the System Development Life Cycle and the Risk Management Framework The System Development Life Cycle (SDLC) and the Risk Management Framework (RMF) are both processes that are critical to the overall function of an information system, however many project managers and system developers working with the SDLC regularly neglect to incorporate the RMF steps into the development of information systems. This lack of planning and foresight often has unexpected financial impacts, or worse, adverse security effects to an organization later on. Is it possible these individuals overlook the RMF because it is difficult to follow or does not align well with the SDLC? What is the purpose of, and the steps involved with each of these…show more content…
During SDLC phase one, the initiation phase, “the need for a system is expressed and the purpose of the system is documented” (NIST, 2008). Some of the expected outcomes from this phase would be a project plan and schedule; system performance specifications outlining the operational requirements, system design documents, and a document that defines roles and responsibilities. The corresponding RMF step, security categorization, establishes the foundation for security standardization among information systems and provides a vital step towards integrating security into the information system (NIST, 2008). During this step, the type(s) of information processed by the information system are identified and the information system is categorized to determine the level of protection requirements to put in place. Some of the expected outputs of this step include a security project plan and schedule, documented system boundary, the system categorization, and the security roles and responsibilities. These two process steps are very similar except the focus of RMF is on information security related functions. In some cases, SDLC produces the expected outputs that RMF requires, and the security professionals only require a copy of the documentation for their records. For example, the system design document often depicts the system boundary. The reason this step is so critical is that it
Open Document