|
controlSA-11
Developer Testing and Evaluation (SA-11)
Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:
Security Baselines
MODERATEHIGHLOW
acquisitionsdlcservicessupply-chain
Why These Connect
Baselined In2
This control is included in the linked security baseline (LOW, MODERATE, or HIGH).
Supports28
These related controls work together — a change to one may affect the others.
Enhances9
These enhancements add specific capabilities or refinements to the base control.
Related Controls(18)
AT-3Role-based Training (AT-3)
LMH
CA-2Control Assessments (CA-2)LMH
CA-7Continuous Monitoring (CA-7)LMH
CA-8Penetration Testing (CA-8)H
PM-15Security and Privacy Groups and Associations (PM-15)PM-31Continuous Monitoring Strategy (PM-31)RA-5Vulnerability Monitoring and Scanning (RA-5)LMH
SA-3System Development Life Cycle (SA-3)LMH
SA-4Acquisition Process (SA-4)LMH
SA-5System Documentation (SA-5)LMH
CM-4Impact Analyses (CM-4)LMH
SA-8Security and Privacy Engineering Principles (SA-8)LMH
SA-15Development Process, Standards, and Tools (SA-15)MH
SA-17Developer Security and Privacy Architecture and Design (SA-17)H
SI-2Flaw Remediation (SI-2)LMH
SR-5Acquisition Strategies, Tools, and Methods (SR-5)LMH
SR-6Supplier Assessments and Reviews (SR-6)MH
SR-7Supply Chain Operations Security (SR-7)Control Enhancements(9)
SA-11(1)Static Code Analysis (SA-11(1))SA-11(2)Threat Modeling and Vulnerability Analyses (SA-11(2))SA-11(3)Independent Verification of Assessment Plans and Evidence (SA-11(3))SA-11(4)Manual Code Reviews (SA-11(4))SA-11(5)Penetration Testing (SA-11(5))SA-11(6)Attack Surface Reviews (SA-11(6))SA-11(7)Verify Scope of Testing and Evaluation (SA-11(7))SA-11(8)Dynamic Code Analysis (SA-11(8))SA-11(9)Interactive Application Security Testing (SA-11(9))