SA-15: Development Process, Standards, and Tools

CSF v1.1 References:

PF v1.0 References:

Baselines:

  • Low

    N/A

  • Moderate
  • High
  • Privacy

    N/A

Previous Version:

Control Statement

  1. Require the developer of the system, system component, or system service to follow a documented development process that:
    1. Explicitly addresses security and privacy requirements;
    2. Identifies the standards and tools used in the development process;
    3. Documents the specific tool options and tool configurations used in the development process; and
    4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
  2. Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements].

Supplemental Guidance

Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.

Control Enhancements

SA-15(1): Quality Metrics

Baseline(s):

(Not part of any baseline)

Require the developer of the system, system component, or system service to: Define quality metrics at the beginning of the development process; and Provide evidence of meeting the quality metrics [Assignment (one or more): [Assignment: organization-defined frequency] , [Assignment: organization-defined program review milestones] , upon delivery].

SA-15(2): Security and Privacy Tracking Tools

Baseline(s):

(Not part of any baseline)

Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process.

SA-15(3): Criticality Analysis

Baseline(s):

  • Moderate
  • High

Require the developer of the system, system component, or system service to perform a criticality analysis: At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and At the following level of rigor: [Assignment: organization-defined breadth and depth of criticality analysis].

SA-15(5): Attack Surface Reduction

Baseline(s):

(Not part of any baseline)

Require the developer of the system, system component, or system service to reduce attack surfaces to [Assignment: organization-defined thresholds].

SA-15(6): Continuous Improvement

Baseline(s):

(Not part of any baseline)

Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.

SA-15(7): Automated Vulnerability Analysis

Baseline(s):

(Not part of any baseline)

Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to: Perform an automated vulnerability analysis using [Assignment: organization-defined tools]; Determine the exploitation potential for discovered vulnerabilities; Determine potential risk mitigations for delivered vulnerabilities; and Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or…

SA-15(8): Reuse of Threat and Vulnerability Information

Baseline(s):

(Not part of any baseline)

Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.

SA-15(10): Incident Response Plan

Baseline(s):

(Not part of any baseline)

Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan.

SA-15(11): Archive System or Component

Baseline(s):

(Not part of any baseline)

Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.