Requirement:
The cybersecurity requirements related to software and application development projects must include at least the following:
Sub-Controls:
1-6-3-1:
Requirement:
Using secure coding standards.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Define and document technical cybersecurity requirements for Secure Coding Standard controls (covering all phases of the secure coding process) based on relevant laws and regulations, best practices and standard controls related to the development and protection of software and applications against internal and external threats in the organization to minimize cyber risks and focus on key security objectives namely; confidentiality, integrity, and availability
- Communicate Secure Coding Standard controls to the relevant departments in the organization (e.g., IT department) and their implementation periodically
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Secure Coding Standard controls approved by the organization
- Documents that confirm the implementation of Secure Coding Standard controls to information and technology assets
1-6-3-2:
Requirement:
Using trusted and licensed sources for software development tools and libraries.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Use only modern, reliable and licensed sources for software development tools and libraries
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- An updated list of licensed and documented software used for application development tools and libraries
1-6-3-3:
Requirement:
Conducting compliance test for software against the defined organizational cybersecurity requirements.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Conduct testing to verify that applications meet the cybersecurity requirements of the organizations, such as penetration testing, to ensure that cybersecurity controls are applied to the development of secure coding standard controls and detect weaknesses, vulnerabilities, and issues in software
- Access Management requirements for users and review the cybersecurity architecture
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- List of application development projects and list of security tests performed to verify the comprehensiveness of the tests and the extent to which the applications meet the organization's cybersecurity requirements and implementation reports
1-6-3-4:
Requirement:
Secure integration between software components.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Ensure security of integration between applications by, but not limited to, security testing of various integration technologies, including
- 2
- Perform System Integration Testing (SIT)
- Perform API testing
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- A report that outlines the testing and assessment of secure Integration between applications based on the organization's cybersecurity requirements and implementation reports
1-6-3-5:
Requirement:
Conducting a configurations' review, secure configuration and hardening and patching before going live for software products.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Review secure Configuration and Hardening and Patching before launching applications and ensure their implementation in the following cases
- 2
- Secure Configuration and Hardening of information and technology assets and applications must be reviewed periodically and their implementation according to the approved technical security standard controls must be ensured
- Secure configuration and hardening must be reviewed before launching projects and changes in information and technology assets
- Secure Configuration and Hardening must be reviewed before launching applications
- Approve the Image for the Secure configuration and hardening of information and technology assets in accordance with the technical security standard controls and kept it in a safe place
- Provide technology required to centrally manage Secure Configuration and Hardening and ensure the automated implementation or update of Secure Configuration and Hardening for all information and technology assets at pre-determined regular intervals
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Reports or evidence that Secure Configuration and Hardening and patching are reviewed before launching applications
- Reports or evidence that Secure Configuration and Hardening and patching are periodically reviewed
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.