SA-15(4): Threat Modeling / Vulnerability Analysis

CSF v1.1 References:


(Not part of any baseline)

Warning icon.

Control is withdrawn in the next version of this control set and incorporated into: SA-11(2): Threat Modeling and Vulnerability Analyses.

Control Statement

The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:

  1. Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
  2. Employs [Assignment: organization-defined tools and methods]; and
  3. Produces evidence that meets [Assignment: organization-defined acceptance criteria].