SM-10-005  System Development Lifecycle

Issue Date:  9/15/2009

Revision Effective Date:  3/15/2010


A System Development Life Cycle (SDLC) is a systematic and orderly approach for solving business and IT related problems.  A SDLC consists of a methodology of repeatable steps for delivering systems that meet the business requirements.  Such steps may include identifying business requirements, converting those requirements into system requirements and ultimately delivering the system.  There are a number of recognized SDLC methodologies in use, each of which has specific strengths and shortcomings.  Most methodologies provide guidelines for specific deliverables in the form of templates for each project phase.   Benefits of using a documented SDLC include the following:

  • Breaks the project into smaller and more manageable steps which may also result in more effective project management (i.e., resource assignment to project related activities at appropriate points based on specific project phase requirements)
  • Allows for review of system compliance with pre-defined IT policies, standards and guidelines at specific project lifecycle transition points (i.e., transition from design to quality assurance)
  • Requires documentation that can be leveraged for future system enhancement, maintenance and support
  • Enhances future project audit ability by providing a structured approach with specific deliverables for system development
  • Provides a mechanism for understating and addressing the security needs of information systems in order to ensure compliance with enterprise architecture security standards
  • Establishes system quality assurance as a fundamental component of delivering systems that meet business and IT system needs (i.e., system usability, functionality, performance, availability,   functionality, maintainability, supportability, expandability, integrity, security and audit ability)


An agency that develops, customizes or maintains IT application solutions for use in performing a business function shall ensure that only authorized system development lifecycles (SDLC) are used by its application development staff (including contracted development staff and system integrators).   The agency shall:

  1. Select, customize or develop one or more SDLC(s) appropriate to its own solution development operations and selection of software for use.  A selected SDLC shall be documented in the agency IT policy and procedure manual.  Documentation shall include, but not be limited to, the following:
    1. Name of industry best practice SDLC upon which the agency SDLC is adopted or patterned,
    2. Phases, or major work breakdown steps, specified by the SDLC,
    3. Deliverables and responsibilities for their preparation from each phase,
    4. Activities which must be coordinated with representatives of functions apart from development staff, specifying timing and agenda for the coordination.
    5. Management and coordination activities including those performed by and with Business Owners and other business staff.
  2. Agency authorized SDLCs shall be coordinated with the Enterprise Performance Lifecycle in a manner that nothing in an authorized SDLC invalidates any provisions of the Enterprise Performance Lifecycle.
  3. On specific development and customization projects, the Project Manager shall adapt one of the agency authorized SDLCs to the project, so that the methodology specified in the SDLC meets the specific needs in risk, cost and complexity of the project at hand.
  4. On specific development and customization projects involving agency acquisition and agency use of COTS products requiring third-party integration, the agency shall:
    1. Determine the SDLC that the third-party integrator intends to use for integration and possible future maintenance,
    2. Negotiate, if needed, an alternative SDLC that the agency deems more appropriate, and
    3. Document in its policy and procedure manual, the specific SDLC which the agency approves for integration of the COTS product and future maintenance, if not already documented therein.


Industry Best Practice SDLC - While this list is not all inclusive, the term indicates an established SDLC such as, but not limited to, “waterfall”, Spiral, Rapid Application Development, Agile, Incremental, and Rapid Prototyping.


  1. “Formal Review Guidebook”, GTA Program Management Office, Georgia Technology Authority, State of Georgia, 2001.
  2. “The Department of Justice System Development Life Cycle Guidance Document”, United States Department of Justice, January 2003.
  3. “System Development Life Cycle Management (SDLC), Volume 1 – Introduction to SDLC”, Maryland Department of Budget and Management Technology, Office of Information, State of Maryland, July, 2004.
  4. “IS Standards, Guidelines and Procedures for Auditing and Control Professionals”, Information Systems Audit and Control Association,  3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois,  October 2008.


While it may appear that an SDLC and the Enterprise Performance Lifecycle Framework (EPLC) are incompatible, in practice they can work together quite well.  An SDLC typically covers only project development tasks which are primarily incorporated in the EPLC stages 3 through 7.  The scope of the EPLC is for the entire life of an investment, from concept through sunset or retirement.  When defining their agency’s SDLC’s and when planning specific projects, the agency should ensure that the steps of the SDLC and stages of the EPLC are in coordination, especially when a specific project warrants an abbreviated project plan due to lack of complexity and risk.  


  1. System Lifecycle Management, standard (SS-08-025)
  2. Enterprise Performance Framework, standard (SM-10-006)
  3. Enterprise Performance Management, standard (SM-10-007)
  4. Technology Project Management, standard (SM-03-006)