Skip to content

Technology Development & Acquisition Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Technology Development & Acquisition Policy
Framework Reference: Secure Controls Framework – Technology Development & Acquisition (TDA)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Technology Development & Acquisition requirements established by Summit Technology Holdings, LLC (STH). It documents FRHC’s Secure Development Lifecycle (SDLC) and the controls used to ensure security is integrated into all phases of technology development and acquisition across FRHC’s environment, including its Azure and AWS cloud infrastructure and Microsoft 365 platform.


This standard applies to all FRHC personnel, contractors, and third parties involved in the development, configuration, acquisition, or maintenance of FRHC applications and supporting systems. It covers custom development, commercial off-the-shelf (COTS) software, SaaS/cloud services, and open-source components used in FRHC’s environment.


3.1 Technology Development & Acquisition Program

Section titled “3.1 Technology Development & Acquisition Program”

FRHC integrates security and compliance into all phases of technology development and acquisition. New development projects undergo security requirements review and risk assessment prior to production deployment. New acquisitions—including third-party software, SaaS solutions, and cloud services—are assessed for security posture and compliance before being placed into production. Procurement coordinates with IT Security to ensure vendor security obligations are incorporated into contracts.

  • Parent Policy Mapping: STH Technology Development & Acquisition Policy, Section 3.1
  • SCF Mapping: TDA-01 (Technology Development & Acquisition)

FRHC developers follow documented secure coding practices addressing common vulnerability classes including SQL injection, cross-site scripting (XSS), insecure authentication, and insecure deserialization. Secure coding standards are maintained by IT Security and reviewed at least annually. All code changes undergo peer review prior to deployment, and automated security testing—including SAST and dependency scanning—is incorporated into FRHC’s build pipeline. Security defects identified during review or testing are tracked to closure before deployment.

  • Parent Policy Mapping: STH Technology Development & Acquisition Policy, Section 3.2
  • SCF Mapping: TDA-06 (Secure Software Development Practices (SSDP))

FRHC’s development environments and CI/CD pipelines enforce least-privilege access, multi-factor authentication (MFA), and secure secrets management. Build tooling is patched and maintained in accordance with FRHC’s Vulnerability & Patch Management Standard. Build provenance and pipeline logs are retained to maintain accountability and support audit activities.

  • Parent Policy Mapping: STH Technology Development & Acquisition Policy, Section 3.3
  • SCF Mapping: TDA-07 (Secure Development Environments)

3.4 Separation of Development, Testing, and Operational Environments

Section titled “3.4 Separation of Development, Testing, and Operational Environments”

FRHC maintains logically separated development, test, and production environments. There are no direct connections between non-production and production environments that could expose sensitive data. Access to production systems is limited, logged, and subject to FRHC’s Change Management process. CI/CD pipelines enforce environment-specific approval gates before promoting code to production.

  • Parent Policy Mapping: STH Technology Development & Acquisition Policy, Section 3.4
  • SCF Mapping: TDA-08 (Separation of Development, Testing and Operational Environments)

Production data must not be used in development or testing environments without documented business justification and explicit approval. Where approved, production data must be masked, anonymized, or de-identified before use, with access restricted to authorized personnel and the data securely disposed of after testing is complete. Synthetic or anonymized data is used by default. Use of ePHI in non-production environments requires documented exception approval.

  • Parent Policy Mapping: STH Technology Development & Acquisition Policy, Section 3.5
  • SCF Mapping: TDA-10 (Use of Live Data)

FRHC maintains evidence of SDLC documentation, secure coding standards, peer review records, SAST and dependency scan reports, environment separation configurations, and exception requests for live data use. IT Security reviews development security controls at least annually and after significant changes to FRHC’s technology stack. Evidence is retained to support SOC 2 Type II audits and HIPAA Security Rule compliance assessments.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Technology Development & Acquisition Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
    • 45 CFR §164.308(a)(1)(ii)(B) – Risk Management
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC7.2, CC7.3, CC7.4)
    • Processing Integrity (PI1.1, PI1.2)

Framework Alignment:

  • TDA-01 – Technology Development & Acquisition
  • TDA-06 – Secure Software Development Practices (SSDP)
  • TDA-07 – Secure Development Environments
  • TDA-08 – Separation of Development, Testing and Operational Environments
  • TDA-10 – Use of Live Data

RevDescriptionDateApproved
-Standard createdSeptember 2025M Machin
1.0Converted to current standard formatApril 2026M Machin

Internal Use Only