Has your organization integrated cybersecurity considerations into all phases of your product development lifecycle?
Explanation
Security across the product lifecycle is what's being assessed, namely whether cybersecurity is built into every phase from conception through retirement rather than added late. Effective integration includes security requirements gathering, threat modeling during design, secure coding practices during development, security testing before release, and vulnerability management post-deployment.
Evidence could include documentation of your secure development lifecycle (SDLC) process, security requirements templates, threat modeling artifacts, security testing results from different product phases, or security-focused design review meeting minutes.
Implementation Example
Integrate cybersecurity considerations into product life cycles
ID: ID.AM-08.139
Context
- Function
- ID: IDENTIFY
- Category
- ID.AM: Asset Management
- Sub-Category
- Systems, hardware, software, services, and data are managed throughout their life cycles
Related questions
- Does your organization maintain comprehensive inventories of all hardware assets, including IT equipment, IoT devices, operational technology (OT), and mobile devices?
- Does your organization implement automated network monitoring to detect new hardware and update inventory records in real-time?
- Does your organization maintain a comprehensive inventory of all software and services, including commercial, open-source, custom, API, and cloud-based applications?
- Does your organization implement continuous monitoring for software and service inventory changes across all platforms, including containers and virtual machines?
- Does your organization maintain a comprehensive inventory of all systems within your environment?
- Does your organization maintain documented baselines of expected network communication patterns and data flows for both wired and wireless networks?

