FFIEC Development, Acquisition, and Maintenance (DA&M) Booklet: What You Need to Know

The Federal Financial Institutions Examination Council (FFIEC) has revamped its "Development and Acquisition" booklet, replacing it with the Development, Acquisition, and Maintenance (DA&M) booklet. This transformation reflects a more comprehensive approach to managing IT-related risks within financial institutions and their third-party service providers. Below, we delve into the introductory concepts and general updates, emphasizing key enhancements and their implications.

For further study, read the full Development, Acquisition, and Maintenance (DA&M) Booklet and the August 29, 2024 FFIEC brief summarizing the DA&M Updates.

Overview and Purpose of the Development, Acquisition, and Maintenance (DA&M) Booklet

The revised DA&M booklet is part of the FFIEC Information Technology Examination Handbook series, designed to provide examiners with tools to evaluate entities' IT practices effectively. By incorporating maintenance as a foundational component alongside development and acquisition, the booklet signals a lifecycle approach to managing IT systems and processes. 

Purpose and Perspective of Revised DA&M Booklet

The DA&M booklet replaces the earlier "Development and Acquisition" booklet (2004), reflecting nearly two decades of technological advancements and shifting regulatory priorities. Its primary goals include:

• Expanding the Scope: The addition of maintenance as a core component ensures a comprehensive focus on the entire lifecycle of IT systems and components.
• Emphasizing Resilience: Maintenance is framed as integral to system reliability, emphasizing preventive and corrective actions that minimize failures and support operational continuity.
• Broadening the Audience: By replacing "financial institutions" with "entities," the booklet now applies to third-party service providers and other organizations critical to financial systems' IT infrastructure.

This approach aligns with industry trends, recognizing that risks and responsibilities extend beyond traditional banking institutions.

Lifecycle Approach of the DA&M Booklet

The booklet adopts a lifecycle perspective, detailing three interconnected phases:

1. Development: This phase involves defining, designing, and implementing IT systems and components. It emphasizes aligning IT activities with enterprise objectives and fostering secure, efficient solutions.
2. Acquisition: Covers all aspects of procurement, from initial requirements to contract closeout. It ensures confidentiality, integrity, and resilience throughout the supply chain.
3. Maintenance: Highlights the ongoing care of IT systems, including preventive maintenance, updates, and end-of-life strategies, to sustain operational integrity and mitigate risks.

By integrating these phases, the booklet promotes a cohesive strategy for managing IT risks and achieving organizational goals.

Alignment with Current Authoritative Standards

The revised booklet enhances credibility and consistency by aligning with established frameworks and regulations, including:

• NIST 2.0 Standards: The booklet incorporates terminology and best practices from the National Institute of Standards and Technology, ensuring technical relevance.
• Interagency Guidance: It integrates directives from federal agencies to create a unified approach for managing IT risks.
• Regulatory Compliance: References federal regulations, such as the Gramm-Leach-Bliley Act (GLBA), to guide entities in maintaining compliance with information security requirements.

These alignments ensure that the booklet remains applicable and adaptable amid rapid technological and regulatory changes.

Common Risk Topics Covered in the DA&M Booklet

The "Common Risk Topics" section of the Development, Acquisition, and Maintenance (DA&M) booklet focuses on risks that cut across all phases of IT system management. These shared concerns—spanning development, acquisition, and maintenance—underscore the need for comprehensive strategies to mitigate vulnerabilities in increasingly complex IT environments. Below, we explore the key updates and risk considerations outlined in the booklet.

Hardware and Software Risks

Hardware and software represent foundational components of IT systems, but they also introduce unique vulnerabilities:

Open-Source Software (OSS):

• OSS is often cost-effective and widely used, but it carries risks such as:
  • Poorly Written Code: May lead to performance issues or vulnerabilities.
  • Inadequate Security Controls: Can result in unauthorized access or data breaches.
  • Licensing Complications: Mismanagement of licenses may result in legal challenges.
• To mitigate these risks, entities should:
  • Conduct thorough component analyses.
  • Use private repositories or public ones with code-signing features.
  • Employ automated tools to verify source code and review documentation.
  • Regularly monitor vendor updates and security patches.

Commercial Off-The-Shelf (COTS) Software:

• While cost-effective and ready-to-deploy, COTS software often requires significant modifications to meet entity-specific needs. Risks include:
  • Default Configurations: May leave unnecessary services enabled, increasing the attack surface.
  • Security Gaps: Systems may lack proper hardening (e.g., changing default passwords or enabling secure backups).
• Mitigating COTS risks involves:
  • Conducting thorough security reviews.
  • Disabling unnecessary features and enabling secure logging mechanisms.

Licensing, Agreements, and Copyright Protection

Effective management of software and hardware licenses is critical to operational continuity:

• License Management:
  • Entities must track expiration dates and ensure compliance with usage rights.
  • Clear agreements should define maintenance terms and scope of use.
• Copyright Protection:
  • Covers reproduction, adaptation, and display rights for both software and hardware.
  • Helps avoid legal disputes and ensures proper credit to intellectual property holders.

Secure Development, Data, and Operating Environments

Ensuring secure development and operational practices is fundamental to protecting systems and data:

• Secure Development Practices:
  • Security must be embedded in every phase of development, including:
    • Quality management and secure coding.
    • Regular code reviews and vulnerability scanning.
• Data Security:
  • Requires inventories to classify and control sensitive data based on storage location and access requirements.
• Secure Operating Environments:
  • Involves enforcing configuration management, access controls, and robust business continuity planning.
  • Entities should monitor third-party activities to ensure compliance with contract and regulatory requirements.

Emerging Technology Risks: Microservices, Containers, and APIs

Emerging technologies offer flexibility and scalability but introduce unique risks:

• Microservices:
  • Composed of small, self-contained units working together via APIs.
  • Risks include misconfigured service registries and inadequate monitoring controls.
• Containers:
  • Package applications for consistent, secure execution in virtualized environments.
  • Require controls for container runtime and image security.
• APIs:
  • Enable communication between systems but must be secured against unauthorized access and data exposure.
  • Maintenance involves constant monitoring and implementing access controls.

Methodologies and Quality Assurance

Strong methodologies and quality controls are vital to achieving reliable IT systems:

• Development Methodologies:
  • Agile, waterfall, and hybrid approaches must align with the entity’s goals.
  • Effective training ensures staff proficiency in the chosen methodology.
• Quality Assurance (QA):
  • QA functions must remain independent of development to provide objective evaluations.
  • Processes include penetration testing, code reviews, and system vulnerability scanning.

Documentation Standards

Comprehensive documentation enhances system functionality and accountability:

• Key Documentation:
  • Should include system descriptions, data flow diagrams, and configuration details.
  • Access to documentation should be restricted based on the principle of least privilege.
• Maintenance:
  • Regular updates to documentation ensure alignment with system changes and operational needs.

Third-Party Risk Management and Supply Chain Considerations

The risks posed by third parties and supply chains demand thorough oversight:

• Third-Party Risk Management:
  • Involves due diligence in vendor selection and ongoing monitoring to ensure compliance with agreements.
• Supply Chain Resilience:
  • Requires risk assessments for geopolitical concerns, vendor dependencies, and potential disruptions.
  • Entities should maintain an inventory of third-party relationships and implement robust incident response plans.

The Development Section of the DA&M Lifecycle

The Development section of the DA&M booklet emphasizes the critical role of IT development in aligning with enterprise objectives and delivering value through secure and efficient systems. By focusing on development standards, testing practices, and emerging methodologies like DevOps and DevSecOps, this section provides a roadmap for ensuring that IT development activities meet organizational and regulatory requirements.

Scope of Development Section of the DA&M Booklet

Development involves defining, designing, testing, and implementing IT systems or components. This stage is foundational for aligning technology solutions with an organization’s operational goals and customer needs. Proper planning and execution during this phase ensure that IT systems can adapt to changing business requirements and evolving security threats.

Effective development is not just about technical execution; it involves collaboration between technical teams, business stakeholders, and external vendors. Whether development activities are performed in-house, outsourced, or involve hybrid teams, the emphasis must remain on quality, security, and alignment with organizational objectives.

Development Standards and Controls in the DA&M Booklet

Development standards and controls provide the foundation for creating reliable and secure IT systems. These controls ensure that systems meet functional requirements while adhering to security protocols and coding best practices. Establishing robust standards helps streamline development processes, reduces errors, and enhances overall system quality.

Key Components of Development Standards

Effective development relies on clear standards and controls, which include:

• System Functionality:
  • Define system capabilities to meet business needs.
  • Ensure automated control features are in place to manage processes efficiently.
• Security:
  • Build robust security controls into the design to safeguard data and systems.
  • Incorporate encryption, secure access, and logging mechanisms.
• Coding Standards:
  • Use standardized coding practices to maintain consistency and reduce errors.
  • Encourage reusable and modular code for scalability and maintainability.
• Quality Management:
  • Establish specifications to ensure development outputs meet predefined criteria.
  • Implement quality assurance (QA) processes that are independent of the development team to maintain objectivity.

Testing Practices Outlined in the DA&M Booklet

Testing is an integral part of the development process, serving as a checkpoint to validate that systems meet functional, security, and compliance requirements. Comprehensive testing mitigates risks by identifying vulnerabilities and defects before deployment, ensuring that the final product operates as intended.

The DA&M booklet emphasizes a multi-layered approach to testing, incorporating both functional and non-functional testing methodologies. These methodologies address various aspects of system performance, user experience, and security.

Testing Types

• Static Analysis: Analyzes code without executing it to identify vulnerabilities.
• Unit Testing: Validates individual components for expected functionality.
• Security Testing: Ensures that systems are resilient against unauthorized access and attacks.
• Integration Testing: Confirms that different system components work together as intended.
• User Acceptance Testing (UAT): Verifies that systems meet user requirements before deployment.
• Regression Testing: Checks for new errors after updates or changes to the system.
• Stress Testing: Assesses system performance under heavy workloads to ensure stability.

Testing Objectives

• Confirm that systems meet architectural, functional, and regulatory requirements.
• Identify vulnerabilities before deployment and establish plans for remediation.

Emerging Development Methodologies: DevOps and DevSecOps

Modern development methodologies are reshaping how organizations create and deploy IT systems. Agile practices, automation, and integrated security measures are now considered best practices for improving development efficiency and reducing risks.

Two prominent methodologies highlighted in the DA&M booklet are DevOps and DevSecOps.

DevOps

DevOps emphasizes collaboration between development and operations teams to streamline workflows and accelerate software delivery.

• Core Principles:
  • Automate build, test, and deployment processes.
  • Use continuous integration and continuous deployment (CI/CD) pipelines to streamline workflows.
• Key Benefits:
  • Shorter development cycles.
  • Increased deployment frequency.
  • Faster time-to-market for new features.

DevSecOps

DevSecOps extends DevOps principles by embedding security throughout the development lifecycle.

• Core Principles:
  • Automate security testing and monitoring.
  • Incorporate controls such as access management, logging, and secure coding practices.
• Key Benefits:

• Ensures that security vulnerabilities are identified and addressed early in the development process.
• Maintains compliance with regulatory and industry standards.

Functional Development Types

The development of IT systems often requires specialized approaches tailored to specific organizational needs and business goals. Functional development types address distinct aspects of IT systems, from the design of physical hardware to the creation of complex data analytics tools. Each type plays a unique role in ensuring the functionality, scalability, and adaptability of systems within a modern technological environment.

The DA&M booklet categorizes development activities into several key areas, each emphasizing the integration of secure practices and operational alignment. By understanding these development types, organizations can better allocate resources, streamline workflows, and build systems that are not only effective but also resilient to change and risk. Below are the main categories of functional development types and their specific considerations.

Hardware Development

• Involves designing and building physical components that integrate with software systems.
• Requires in-depth knowledge of both hardware engineering and software compatibility.

Front-End Development

• Focuses on enhancing the user experience through effective interfaces and intuitive designs.
• Incorporates business rules and customer needs into interface development.

Backend Development

• Manages databases, APIs, and business logic to support front-end operations.
• Ensures seamless communication between data storage and user interfaces.

Big Data Development

• Addresses large-scale data processing needs.
• Involves designing tools for data mining, visualization, and quantitative analysis.

The Acquisition Section of the DA&M Lifecycle

The Acquisition section of the DA&M booklet outlines the processes and strategies involved in procuring IT systems and components. This phase ensures that acquired products and services align with organizational objectives, maintain security and resilience, and comply with regulatory standards. By addressing risks inherent in vendor relationships and supply chain operations, the acquisition process becomes a critical component of effective IT governance.

Scope of Acquisition Section of the DA&M Booklet

Acquisition encompasses all stages of obtaining IT products or services, from defining requirements to managing contracts. This phase involves identifying suitable vendors, negotiating terms, and establishing agreements that support the organization’s operational and strategic goals. Effective acquisition not only secures the necessary resources but also mitigates potential risks related to supply chain disruptions, compliance violations, and security vulnerabilities.

Acquisition activities are integral to building a resilient IT infrastructure, whether systems are developed in-house, outsourced, or obtained as off-the-shelf solutions. The DA&M booklet emphasizes that acquisition decisions should be informed by thorough due diligence, a clear understanding of requirements, and robust risk management practices.

Acquisition Policies, Standards, and Procedures

The DA&M booklet highlights the importance of establishing comprehensive acquisition policies, standards, and procedures to guide procurement activities. These guidelines ensure consistency, transparency, and alignment with organizational objectives.

Key Components of Acquisition

1. Policy Framework:
   • Define acquisition policies that align with enterprise risk management strategies.
   • Specify compliance requirements, including regulatory and contractual obligations.
2. Standards:
   • Establish criteria for evaluating vendor proposals and system specifications.
   • Develop benchmarks for pricing, quality, and delivery timelines.
3. Procedures:
   • Outline clear steps for initiating procurement requests, evaluating vendors, and finalizing agreements.
   • Implement periodic reviews to adapt procedures to evolving business and regulatory landscapes.

These elements create a structured approach to acquisition that reduces ambiguity and streamlines decision-making.

Vendor Evaluation and Selection

Selecting the right vendors is critical to the success of IT acquisition projects. The DA&M booklet emphasizes thorough evaluation processes to ensure vendors meet organizational needs while minimizing associated risks.

Evaluation Criteria for Vendor Selection

1. Capabilities:
   • Assess vendors’ technical expertise and ability to deliver the required systems or services.
   • Evaluate compatibility with existing IT infrastructure.
2. Security and Resilience:
   • Verify vendors’ adherence to security standards, including data protection and incident response measures.
   • Ensure vendors have a robust business continuity plan to address potential disruptions.
3. Compliance:
   • Confirm vendors comply with regulatory requirements and industry standards.
   • Review third-party audits and certifications as part of due diligence.
4. Reputation and Reliability:
   • Examine vendors’ track records, including customer reviews and previous project outcomes.
   • Consider financial stability to assess long-term reliability.

Contracts and Agreements

Contracts formalize relationships with vendors, defining expectations and responsibilities for both parties. The DA&M booklet emphasizes the importance of comprehensive agreements to protect organizational interests and mitigate risks.

Key Contract Types

1. Statement of Work (SOW):
   • Outlines deliverables, timelines, and performance criteria.
   • Provides clarity on project scope and objectives.
2. Master Services Agreement (MSA):
   • Establishes overarching terms and conditions for long-term vendor relationships.
   • Simplifies the negotiation process for subsequent projects.
3. Service Level Agreement (SLA):
   • Defines measurable performance metrics and penalties for non-compliance.
   • Ensures accountability for service quality and availability.
4. Escrow Agreements:
   • Provide access to source code or critical documentation in case of vendor insolvency or contract termination.
5. Exit Strategies:
   • Include terms for contract termination and transition planning to minimize disruption.

Supply Chain Risk Management

The acquisition process extends beyond vendor selection to include the entire supply chain. Managing supply chain risks ensures that products and services remain secure, reliable, and compliant throughout their lifecycle.

Risk Factors

1. Geopolitical Risks:
   • Assess potential disruptions due to political instability or regulatory changes in vendor regions.
2. Third-Party Dependencies:
   • Evaluate risks associated with subcontractors and other vendors in the supply chain.
3. Delivery Risks:
   • Ensure redundancy and backup suppliers to mitigate delays or shortages.

Mitigation Strategies

• Maintain an inventory of third-party relationships and their associated risks.
• Establish monitoring mechanisms to track supply chain performance and compliance.
• Implement incident response plans to address disruptions quickly and effectively.

Acquisition Projects and Processes

The DA&M booklet emphasizes that acquisition should be treated as a project with defined phases and objectives. This approach ensures transparency and accountability throughout the procurement lifecycle.

Acquisition Process Phases

1. Initiation:
   • Identify business needs and define system requirements.
   • Establish a budget and secure stakeholder approval.
2. Solicitation:
   • Develop and distribute requests for proposals (RFPs) to potential vendors.
   • Ensure RFPs clearly articulate requirements, evaluation criteria, and timelines.
3. Evaluation and Selection:
   • Score vendor proposals based on predefined criteria.
   • Conduct interviews and site visits to validate vendor capabilities.
4. Contract Negotiation:
   • Finalize terms and agreements, ensuring alignment with organizational priorities.
   • Include legal review to address potential liabilities.
5. Closeout:
   • Document outcomes, lessons learned, and vendor performance.
   • Transition to operational teams for implementation and monitoring.

The Maintenance Section of the DA&M Lifecycle

The Maintenance section of the DA&M booklet underscores the importance of sustaining IT systems and components throughout their operational lifecycle. Effective maintenance ensures that systems remain secure, reliable, and aligned with organizational objectives. This phase includes preventive care, updates, and end-of-life planning, emphasizing a proactive approach to managing IT assets.

Scope of Maintenance Section of the DA&M Booklet

Maintenance activities focus on ensuring the ongoing functionality and security of IT systems after their development or acquisition. This phase involves more than routine updates—it includes a comprehensive strategy for monitoring, adapting, and extending the life of systems and components to support organizational goals.

The DA&M booklet highlights that well-maintained systems contribute to business continuity, reduce the likelihood of failures, and safeguard sensitive data. Maintenance efforts should be integrated into an entity’s broader IT governance framework to ensure alignment with risk management strategies and regulatory compliance.

Preventive Maintenance

Preventive maintenance is a cornerstone of effective IT asset management. It involves regular checks, updates, and adjustments to preempt potential system failures and ensure optimal performance.

Key Preventive Maintenance Activities

1. Monitoring:
   • Track system performance metrics to identify early warning signs of potential issues.
   • Use automated monitoring tools to detect anomalies or vulnerabilities.
2. Patching and Updates:
   • Apply security patches and software updates to address known vulnerabilities.
   • Test patches in a controlled environment before deployment to production systems.
3. Hardware Servicing:
   • Schedule regular maintenance for physical components, such as servers and networking equipment.
   • Replace aging hardware to prevent unexpected failures.
4. Performance Tuning:
   • Optimize system configurations to enhance efficiency and reduce resource consumption.
   • Regularly review and update performance benchmarks.

Change Management

Change management ensures that modifications to IT systems are executed in a controlled and secure manner. This process minimizes disruptions and maintains system integrity during updates, upgrades, or emergency fixes.

Types of Changes

1. Routine Modifications:
   • Includes minor updates, such as user interface changes or feature enhancements.
   • Typically follows predefined workflows for approval and implementation.
2. Major Modifications:
   • Encompasses significant changes, such as system overhauls or integration of new components.
   • Requires detailed planning, impact analysis, and testing.
3. Emergency Changes:
   • Addresses critical issues, such as security breaches or system outages.
   • Involves expedited processes with immediate risk assessments and rollback plans.

Key Components of Change Management

• Impact Analysis:
  • Assess potential effects of changes on system performance, security, and user experience.
• Approval Processes:
  • Establish clear workflows for obtaining necessary approvals before implementing changes.
• Documentation:
  • Maintain detailed records of all changes, including purpose, scope, and outcomes.

End-of-Life (EOL) and End-of-Support (EOS) Management

Managing the end-of-life and end-of-support phases for IT systems and components is critical to minimizing risks and ensuring smooth transitions to new technologies.

EOL and EOS Considerations

1. Risk Assessment:
   • Identify risks associated with outdated systems, such as security vulnerabilities and compatibility issues.
2. Transition Planning:
   • Develop a roadmap for migrating to newer systems or technologies.
   • Include training and support for users during transitions.
3. Disposal and Decommissioning:
   • Ensure secure disposal of obsolete hardware to prevent data breaches.
   • Retire outdated software in a manner compliant with regulatory requirements.

Maintenance Documentation

Comprehensive documentation is essential for effective maintenance. It provides a reference for troubleshooting, future updates, and audits.

Key Documentation Practices

1. System Inventories:
   • Maintain up-to-date records of all IT assets, including hardware, software, and licenses.
2. Maintenance Logs:
   • Record all maintenance activities, including dates, actions taken, and outcomes.
3. Access Controls:
   • Restrict documentation access based on roles to protect sensitive information.

Maintenance Personnel and Responsibilities

The DA&M booklet emphasizes that maintenance requires a collaborative effort across multiple roles to ensure effective execution and oversight.

Maintenance Roles

1. IT Staff:
   • Conduct routine monitoring, updates, and troubleshooting.
   • Ensure that all systems remain operational and meet performance benchmarks.
2. Change Control Board (CCB):
   • Review and approve change requests to maintain system integrity.
   • Prioritize changes based on impact and urgency.
3. Third-Party Vendors:
   • Provide specialized support for proprietary systems and components.
   • Ensure compliance with contractual terms and service-level agreements.

Partner with NETBankAudit for Robust IT Risk Management and Compliance Support

In today's rapidly evolving financial landscape, safeguarding your institution against cybersecurity threats and ensuring compliance with complex regulatory standards are paramount. NETBankAudit stands as a trusted partner, offering tailored solutions to navigate these challenges effectively.

Why Choose NETBankAudit?

• Proven Expertise: With over 23 years of success, NETBankAudit has assisted more than 800 organizations across 38 states, delivering specialized IT and cybersecurity audits, risk assessments, and compliance solutions.
• Certified Professionals: Our senior-level auditing team brings over a decade of industry and regulatory experience, holding certifications such as CISA, CISSP, CISM, and CRISC.
• Comprehensive Services: From internal audits and risk assessments to vulnerability and penetration testing, we provide a holistic approach to IT risk management and compliance.

Partnering with NETBankAudit means entrusting your institution's IT risk management and compliance needs to seasoned experts dedicated to your success. Reach out today to navigate the complexities of today's cybersecurity landscape with confidence.