NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-3(1)Manage Preproduction Environment

Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The preproduction environment includes development, test, and integration environments. The program protection planning processes established by the Department of Defense are examples of managing the preproduction environment for defense contractors. Criticality analysis and the application of controls on developers also contribute to a more secure system development environment.

Practitioner Notes

Manage your preproduction (development, test, staging) environments with appropriate security controls. These environments are often targets because they have weaker protections but may contain real data or provide a path to production.

Example 1: Apply security controls to development and test environments that are proportional to the data they contain. At minimum: access control, network segmentation from production, and regular patching. Never use production credentials in preproduction environments.

Example 2: In Azure, create separate subscriptions for dev, test, and production with Azure Policy enforcement on each. Use Azure Blueprints to ensure consistent security baselines across all environments. Lock production access so developers cannot directly access production systems from their development tools.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(2) Use of Live or Operational Data