>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SA-15Development Process, Standards, and Tools

Moderate
High

>Control Description

a

Require the developer of the system, system component, or system service to follow a documented development process that:

1.

Explicitly addresses security and privacy requirements;

2.

Identifies the standards and tools used in the development process;

3.

Documents the specific tool options and tool configurations used in the development process; and

4.

Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and

b

Review the development process, standards, tools, tool options, and tool configurations organization-defined frequency to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: organization-defined security and privacy requirements.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation.

Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.

>Cross-Framework Mappings

SCF

TDA-06
Compare

>Programmatic Queries

Beta

Related Services

AWS CodePipeline
AWS CodeBuild
Amazon CodeGuru

CLI Commands

List CodePipeline pipelines
aws codepipeline list-pipelines
List CodeBuild projects and configurations
aws codebuild batch-get-projects --names PROJECT_NAME
List CodeGuru profiling groups
aws codeguruprofiler list-profiling-groups
List CodeGuru Reviewer recommendations
aws codeguru-reviewer list-recommendations --code-review-arn CODE_REVIEW_ARN
Open AWS ConsoleDocumentation

>Relevant Technologies

Technology-specific guidance with authoritative sources and verification commands.

SonarQube

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What acquisition policies and procedures address the requirements of SA-15?
  • How are security and privacy requirements integrated into the acquisition process?
  • Who is responsible for ensuring that acquisitions comply with SA-15?
  • How is security integrated throughout your system development lifecycle (SDLC)?

Technical Implementation:

  • How are security requirements defined and documented in acquisition contracts?
  • What mechanisms ensure that acquired systems and services meet security requirements?
  • How do you validate that vendors and service providers comply with specified security controls?
  • What security practices are required at each phase of the SDLC?
  • What secure coding practices and standards are required for developers?

Evidence & Documentation:

  • Can you provide examples of acquisition documentation that includes security requirements?
  • What evidence demonstrates that acquired systems meet security specifications?
  • Where is acquisition security documentation maintained throughout the system lifecycle?
  • Can you show evidence of security activities performed during development?
  • Can you provide code review or static analysis results?

Ask AI

Configure your API key to use AI features.