Project Managers need to address IT security threats and vulnerabilities early in the SDLC when the cost of implementing security controls and practices are relatively low and convenient to budget and schedule.  Moreover, adherence to security-based software development practices will prevent deficiencies, rather than implement them after the fact.  The cost to remediate a security weakness increases geometrically as a project moves through the SDLC. 

The SDLC must also include those activities which will ensure the incorporation of an adequate security control baseline into all phases of system development, operations, maintenance, and disposal.  Including information system security early in the SDLC for an information system will usually result in less expensive and more effective security than adding security to an operational system. NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle, presents a framework for incorporating security into all phases of the SDLC process, from definition to disposal.

The  SDLC includes the following steps:

▲    Step 0: Concept Definition

▲    Step 1: Concept Development

▲    Step 2: System Design and Prototype

▲    Step 3: System Development and Testing

▲    Step 4: System Deployment

▲    Step 5: System Operation (including System Disposal)

Project Management Framework

The mapping of the IPMC Project Management Process and the IPMC life cycle identifies the project management outputs for each IPMC project management step and milestone review. It also shows the project management process groups with corresponding actions and artifacts identified by IPMC.

Figure 1.9 illustrates the actions and associated artifacts of the IPMC Project and Program Management process.