Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-15(4)

development process, standards, and tools  | threat modeling / vulnerability analysis

assessment objective:

Determine if the organization:

sa-15(4)[1]

defines the breadth of threat modeling and vulnerability analysis to be performed by developers for the information system;

sa-15(4)[2]

defines the depth of threat modeling and vulnerability analysis to be performed by developers for the information system;

sa-15(4)[3]

defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used in threat modeling and vulnerability analysis;

sa-15(4)[4]

defines tools and methods to be employed in threat modeling and vulnerability analysis;

sa-15(4)[5]

defines acceptance criteria for evidence produced from threat modeling and vulnerability analysis;

sa-15(4)[6]

requires that developers perform threat modeling and a vulnerability analysis for the information system at the organization-defined breadth/depth that:

sa-15(4)[6](a)

uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels;

sa-15(4)[6](b)

employs organization-defined tools and methods; and

sa-15(4)[6](c)

produces evidence that meets organization-defined acceptance criteria.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing development process, standards, and tools; solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; threat modeling documentation; vulnerability analysis results; organizational risk assessments; acceptance criteria for evidence produced from threat modeling and vulnerability analysis; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; system developer].

Test: [select from: Organizational processes for performing development threat modeling and vulnerability analysis; automated mechanisms supporting and/or implementing development threat modeling and vulnerability analysis].