SA-15: Development Process, Standards, And Tools
Control Family:
Baselines:
- Low
N/A
- Moderate
N/A
- High
- SA-15
Next Version:
- NIST Special Publication 800-53 Revision 5:
- SA-15: Development Process, Standards, and Tools
Control Statement
The organization:
- Requires the developer of the information system, system component, or information system service to follow a documented development process that:
- Explicitly addresses security requirements;
- Identifies the standards and tools used in the development process;
- Documents the specific tool options and tool configurations used in the development process; and
- Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
- Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements].
Supplemental Guidance
Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes.
Control Enhancements
SA-15(1): Quality Metrics
Baseline(s):
The organization requires the developer of the information system, system component, or information system service to: Define quality metrics at the beginning of the development process; and Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery].
SA-15(2): Security Tracking Tools
Baseline(s):
The organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process.
SA-15(3): Criticality Analysis
Baseline(s):
The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle].
SA-15(4): Threat Modeling / Vulnerability Analysis
Baseline(s):
The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that: Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; Employs [Assignment: organization-defined tools and methods]; and Produces evidence that meets [Assignment: organization-defined acceptance criteria].
SA-15(5): Attack Surface Reduction
Baseline(s):
The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to [Assignment: organization-defined thresholds].
SA-15(6): Continuous Improvement
Baseline(s):
The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process.
SA-15(7): Automated Vulnerability Analysis
Baseline(s):
The organization requires the developer of the information system, system component, or information system service to: Perform an automated vulnerability analysis using [Assignment: organization-defined tools]; Determine the exploitation potential for discovered vulnerabilities; Determine potential risk mitigations for delivered vulnerabilities; and Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel…
SA-15(8): Reuse Of Threat / Vulnerability Information
Baseline(s):
The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.
SA-15(9): Use Of Live Data
Baseline(s):
The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service.
SA-15(10): Incident Response Plan
Baseline(s):
The organization requires the developer of the information system, system component, or information system service to provide an incident response plan.
SA-15(11): Archive Information System / Component
Baseline(s):
The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.