Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service.
NIST 800-53 (r4) Supplemental Guidance:
Applications may deviate significantly from the functional and design specifications created during the requirements and design phases of the system development life cycle. Therefore, threat and vulnerability analyses of information systems, system components, and information system services prior to delivery are critical to the effective operation of those systems, components, and services. Threat and vulnerability analyses at this phase of the life cycle help to ensure that design or implementation changes have been accounted for, and that any new vulnerabilities created as a result of those changes have been reviewed and mitigated. Related controls: PM-15, RA-5.
NIST 800-53 (r5) Discussion:
Systems, system components, and system services may deviate significantly from the functional and design specifications created during the requirements and design stages of the system development life cycle. Therefore, updates to threat modeling and vulnerability analyses of those systems, system components, and system services during development and prior to delivery are critical to the effective operation of those systems, components, and services. Threat modeling and vulnerability analyses at this stage of the system development life cycle ensure that design and implementation changes have been accounted for and that vulnerabilities created because of those changes have been reviewed and mitigated.
38North Guidance:
Meets Minimum Requirement:
Incorporate vulnerability scanning, analysis and testing activities while developing the information system as part of the developer security testing and evaluation.
Best Practice:
None.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
Reports of threat and vulnerability analyses.
CSP Implementation Tips:
None.
Page updated
Report abuse