Technology Development & Acquisition

Mechanisms exist to obtain, protect and distribute administrator documentation for systems that describe: ▪ Secure configuration, installation and operation of the system; ▪ Effective use and maintenance of security features/functions; and ▪ Known vulnerabilities regarding configuration and use of administrative (e.g., privileged) functions.

Login

Technology Development & Acquisition

Mechanisms exist to require vendors/contractors to provide information describing the functional properties of the security controls to be utilized within systems, system components or services in sufficient detail to permit analysis and testing of the controls.

Login

Technology Development & Acquisition

Mechanisms exist to require a Software Bill of Materials (SBOM) for systems, applications and services that lists software packages in use, including versions and applicable licenses.

Login

Technology Development & Acquisition

Mechanisms exist to require the developers of systems, system components or services to produce a design specification and security architecture that: ▪ Is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture; ▪ Accurately and completely describes the required security functionality and the allocation of security controls among physical and logical components; and ▪ Expresses how individual security functions, mechanisms and services work together to provide required security capabilities and a unified approach to protection.

Login

Technology Development & Acquisition

Mechanisms exist to secure physical diagnostic and test interfaces to prevent misuse.

Login

Technology Development & Acquisition

Mechanisms exist to enable endpoint devices to log events and generate alerts for attempts to access diagnostic and test interfaces.

Login

Technology Development & Acquisition

Level N/A

Mechanisms exist to develop applications based on secure coding principles.

Login

Technology Development & Acquisition

Mechanisms exist to require the developer of the system, system component or service to perform a criticality analysis at organization-defined decision points in the Secure Development Life Cycle (SDLC).

Login

Technology Development & Acquisition

Level N/A

Mechanisms exist to perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for.

Login

Technology Development & Acquisition

Mechanisms exist to utilize a Software Assurance Maturity Model (SAMM) to govern a secure development lifecycle for the development of systems, applications and services.

Login