SA-15(7)—Development Process, Standards, and Tools | Automated Vulnerability Analysis
IL5
IL6
>Control Description
Require the developer of the system, system component, or system service ⚙organization-defined frequency to:
(a) Perform an automated vulnerability analysis using ⚙organization-defined tools;
(b) Determine the exploitation potential for discovered vulnerabilities;
(c) Determine potential risk mitigations for delivered vulnerabilities; and
(d) Deliver the outputs of the tools and results of the analysis to ⚙organization-defined personnel or roles.
>DoD Impact Level Requirements
No specific parameter values or requirements for this impact level.
>Discussion
Automated tools can be more effective at analyzing exploitable weaknesses or deficiencies in large and complex systems, prioritizing vulnerabilities by severity, and providing recommendations for risk mitigations.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What acquisition policies and procedures address the requirements of SA-15(7)?
- •How are security and privacy requirements integrated into the acquisition process?
- •Who is responsible for ensuring that acquisitions comply with SA-15(7)?
Technical Implementation:
- •How are security requirements defined and documented in acquisition contracts?
- •What mechanisms ensure that acquired systems and services meet security requirements?
- •How do you validate that vendors and service providers comply with specified security controls?
- •What secure coding practices and standards are required for developers?
Evidence & Documentation:
- •Can you provide examples of acquisition documentation that includes security requirements?
- •What evidence demonstrates that acquired systems meet security specifications?
- •Where is acquisition security documentation maintained throughout the system lifecycle?
- •Can you provide code review or static analysis results?
Ask AI
Configure your API key to use AI features.