System and Services Acquisition (SA)
Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.
System and Services Acquisition (SA)
Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to: (a) Perform an automated vulnerability analysis using [Assignment: organization-defined tools]; (b) Determine the exploitation potential for discovered vulnerabilities; (c) Determine potential risk mitigations for delivered vulnerabilities; and (d) Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].
System and Services Acquisition (SA)
Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.
System and Services Acquisition (SA)
[Withdrawn: Moved to SR-11(3).]
System and Services Acquisition (SA)
Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan.
System and Services Acquisition (SA)
Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.
System and Services Acquisition (SA)
Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.
System and Services Acquisition (SA)
Level N/A
Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: [Assignment: organization-defined training].
System and Services Acquisition (SA)
Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that: a. Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture; b. Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and c. Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection.
System and Services Acquisition (SA)
Require the developer of the system, system component, or system service to: (a) Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security and privacy policy] to be enforced; and (b) Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security and privacy policy when implemented.
