Require the developer of the system, system component, or system service to follow a documented development process that: Explicitly addresses security and privacy requirements; Identifies the standards and tools used in the development process; Documents the specific tool options and tool configurations used in the development process; and Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and Review the development process, standards, tools, tool options, and tool configurations {{ insert: param, sa-15_odp.01 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ insert: param, sa-15_prm_2 }}.
family SA
framework nist-800-53
ATT&CK techniques this control defends against
✓ covered by Sigma/YARA in our corpus
× = detection gap
Equivalent controls in other frameworks click any to see its ATT&CK technique mappings
Require the developer of the system, system component, or system service to: Define quality metrics at the beginning of the development process; and Provide evidence of meeting the quality metrics {{ insert: param, sa-15.01_odp.01 }}.
family SA
framework nist-800-53
Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan.
family SA
framework nist-800-53
Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.
family SA
framework nist-800-53
Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.
family SA
framework nist-800-53
Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.
family SA
framework nist-800-53
Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process.
family SA
framework nist-800-53
Require the developer of the system, system component, or system service to perform a criticality analysis: At the following decision points in the system development life cycle: {{ insert: param, sa-15.03_odp.01 }} ; and At the following level of rigor: {{ insert: param, sa-15.3_prm_2 }}.
family SA
framework nist-800-53
family SA
framework nist-800-53
Require the developer of the system, system component, or system service to reduce attack surfaces to {{ insert: param, sa-15.05_odp }}.
family SA
framework nist-800-53
Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.
family SA
framework nist-800-53
Require the developer of the system, system component, or system service {{ insert: param, sa-15.07_odp.01 }} to: Perform an automated vulnerability analysis using {{ insert: param, sa-15.07_odp.02 }}; Determine the exploitation potential for discovered vulnerabilities; Determine potential risk mitigations for delivered vulnerabilities; and Deliver the outputs of the tools and results of the analysis to {{ insert: param, sa-15.07_odp.03 }}.
family SA
framework nist-800-53
Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.
family SA
framework nist-800-53
family SA
framework nist-800-53