PR.IP-2: System Development Life Cycle — NIST CSF Control Guide
Managing systems without a formal System Development Life Cycle (SDLC) leaves security gaps that grow with every release. NIST PR.IP-2 requires organizations to establish and maintain an SDLC framework that embeds security throughout design, development, testing, and deployment. This control prevents vulnerabilities from reaching production and ensures systems meet security requirements from inception.
What this means
PR.IP-2 mandates that your organization implement a documented System Development Life Cycle that governs how all systems are built, modified, and deployed. This lifecycle must incorporate security considerations at every phase—from initial requirements gathering and design through development, testing, deployment, and maintenance. The SDLC should define roles, responsibilities, approval processes, and security standards that all development teams follow consistently. Without a formal SDLC, security becomes reactive rather than proactive, and systems reach production with unidentified or unmitigated risks.
How to comply
- 1.Document your organization's System Development Life Cycle framework, including all phases from planning through retirement
- 2.Define security requirements and controls that apply during each SDLC phase
- 3.Establish a change management process that requires security review before deployment
- 4.Implement code review procedures and security testing (SAST, DAST) before production release
- 5.Create approval workflows with documented sign-offs from security and business stakeholders
- 6.Provide SDLC training to all developers and relevant personnel
- 7.Monitor SDLC compliance through audit logs and maintain records of all development activities
- 8.Update your SDLC framework annually or when significant changes occur
Evidence auditors look for
- SDLC policy document defining phases, gates, and security checkpoints
- Development standards and secure coding guidelines enforced across projects
- Security requirements template used in all new system requests
- Change management records showing security approval before deployment
- Code review documentation with security findings and resolutions
- Vulnerability scan reports from automated testing tools
- Training records for developers on secure development practices
- Architecture review meeting notes including security considerations
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates SDLC gate tracking and security requirement linking—capturing code review records, deployment approvals, and vulnerability scan results directly into your compliance evidence library so auditors see complete PR.IP-2 traceability without manual spreadsheet collection.
See how GRCWatch handles this control automatically
Start free trial