SA-15: Development Process, Standards, and Tools
Control Family:
CSF v1.1 References:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- SA-15: Development Process, Standards, And Tools
Control Statement
- Require the developer of the system, system component, or system service to follow a documented development process that:
- Explicitly addresses security and privacy requirements;
- Identifies the standards and tools used in the development process;
- Documents the specific tool options and tool configurations used in the development process; and
- Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
- Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements].
Supplemental Guidance
Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.
Control Enhancements
SA-15(1): Quality Metrics
Baseline(s):
Require the developer of the system, system component, or system service to: Define quality metrics at the beginning of the development process; and Provide evidence of meeting the quality metrics [Assignment (one or more): [Assignment: organization-defined frequency] , [Assignment: organization-defined program review milestones] , upon delivery].
SA-15(2): Security and Privacy Tracking Tools
Baseline(s):
Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process.
SA-15(3): Criticality Analysis
Baseline(s):
- Moderate
- High
Require the developer of the system, system component, or system service to perform a criticality analysis: At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and At the following level of rigor: [Assignment: organization-defined breadth and depth of criticality analysis].
SA-15(5): Attack Surface Reduction
Baseline(s):
Require the developer of the system, system component, or system service to reduce attack surfaces to [Assignment: organization-defined thresholds].
SA-15(6): Continuous Improvement
Baseline(s):
Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.
SA-15(7): Automated Vulnerability Analysis
Baseline(s):
Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to: Perform an automated vulnerability analysis using [Assignment: organization-defined tools]; Determine the exploitation potential for discovered vulnerabilities; Determine potential risk mitigations for delivered vulnerabilities; and Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or…
SA-15(8): Reuse of Threat and Vulnerability Information
Baseline(s):
Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.
SA-15(10): Incident Response Plan
Baseline(s):
Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan.
SA-15(11): Archive System or Component
Baseline(s):
Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.
SA-15(12): Minimize Personally Identifiable Information
Baseline(s):
Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.