NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-8(29) — Repeatable and Documented Procedures
Implement the security design principle of repeatable and documented procedures in {{ insert: param, sa-08.29_odp }}.
Supplemental Guidance
The principle of repeatable and documented procedures states that the techniques and methods employed to construct a system component permit the same component to be completely and correctly reconstructed at a later time. Repeatable and documented procedures support the development of a component that is identical to the component created earlier, which may be in widespread use. In the case of other system artifacts (e.g., documentation and testing results), repeatability supports consistency and the ability to inspect the artifacts. Repeatable and documented procedures can be introduced at various stages within the system development life cycle and contribute to the ability to evaluate assurance claims for the system. Examples include systematic procedures for code development and review, procedures for the configuration management of development tools and system artifacts, and procedures for system delivery.
Practitioner Notes
Repeatable and documented procedures ensure that security activities are performed consistently every time, regardless of who performs them. Undocumented procedures live only in people's heads and leave when they do.
Example 1: Write standard operating procedures (SOPs) for all recurring security tasks: vulnerability scanning, patch management, account provisioning and deprovisioning, incident response, and backup verification. Include step-by-step instructions with screenshots so anyone with basic technical skills can follow them.
Example 2: Store SOPs in a central location (SharePoint, Confluence) with version control. Require procedures to be reviewed and updated annually or whenever the process changes. When new staff perform a procedure for the first time, have them follow the SOP and note any steps that are unclear or outdated — then update the SOP.