ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

NIST Special Publication 800-64 Revision 2, "Security Considerations in the System Development Life Cycle," is organized around the classic SDLC phases (Initiation; Development/Acquisition; Implementation/Assessment; Operation/Maintenance; and Disposal). For every phase it prescribes specific security tasks such as requirements identification, architectural risk analysis, code reviews, security testing, change control, and secure disposal activities.

In contrast, the Secure Software Development Framework (SSDF) in SP 800-218 provides a set of security practices grouped into Prepare, Protect, Produce, and Respond categories, but it intentionally does not tie those practices to particular SDLC phases. The Risk Management Framework (SP 800-37) focuses on system authorization and continuous monitoring, while the Cybersecurity Framework offers high-level organizational risk-management guidance. Therefore, SP 800-64 Rev. 2 is the most appropriate choice for phase-specific secure-development tasks.