|
controlSA-15
Development Process, Standards, and Tools (SA-15)
Require the developer of the system, system component, or system service to follow a documented development process that: Review the development process, standards, tools, tool options, and tool configurations [organization-defined] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [organization-defined].
Security Baselines
MODERATEHIGHLOW
acquisitionsdlcservicessupply-chain
Why These Connect
Baselined In2
This control is included in the linked security baseline (LOW, MODERATE, or HIGH).
Supports35
These related controls work together — a change to one may affect the others.
Enhances13
These enhancements add specific capabilities or refinements to the base control.
Related Controls(20)
AC-6Least Privilege (AC-6)
MH
CM-2Baseline Configuration (CM-2)LMH
CM-7Least Functionality (CM-7)LMH
CP-2Contingency Plan (CP-2)LMH
IR-8Incident Response Plan (IR-8)LMH
MA-6Timely Maintenance (MA-6)MH
RA-5Vulnerability Monitoring and Scanning (RA-5)LMH
RA-9Criticality Analysis (RA-9)MH
SA-3System Development Life Cycle (SA-3)LMH
SA-4Acquisition Process (SA-4)LMH
SA-5System Documentation (SA-5)LMH
SA-8Security and Privacy Engineering Principles (SA-8)LMH
SA-10Developer Configuration Management (SA-10)MH
SA-11Developer Testing and Evaluation (SA-11)MH
SR-3Supply Chain Controls and Processes (SR-3)LMH
SR-4Provenance (SR-4)SR-5Acquisition Strategies, Tools, and Methods (SR-5)LMH
SR-6Supplier Assessments and Reviews (SR-6)MH
SR-9Tamper Resistance and Detection (SR-9)H
SC-3Security Function Isolation (SC-3)H
Control Enhancements(13)
SA-15(1)Quality Metrics (SA-15(1))SA-15(2)Security and Privacy Tracking Tools (SA-15(2))SA-15(3)Criticality Analysis (SA-15(3))
MH
SA-15(4)Threat Modeling and Vulnerability Analysis (SA-15(4))WSA-15(5)Attack Surface Reduction (SA-15(5))SA-15(6)Continuous Improvement (SA-15(6))SA-15(7)Automated Vulnerability Analysis (SA-15(7))SA-15(8)Reuse of Threat and Vulnerability Information (SA-15(8))SA-15(9)Use of Live Data (SA-15(9))WSA-15(10)Incident Response Plan (SA-15(10))SA-15(11)Archive System or Component (SA-15(11))SA-15(12)Minimize Personally Identifiable Information (SA-15(12))SA-15(13)Logging Syntax (SA-15(13))