home || catalog: SP800-53rev3 / class: Management / family: (SA) System and Services Acquisition ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA

SA-01
SA-02
SA-03
SA-04
SA-05
SA-06
SA-07
SA-08
SA-09
SA-10
SA-11 *
SA-12
SA-13
SA-14

SC
SI
MMMMM

  SA-11: Developer Security Testing  

base control objective:
The organization requires that information system developers/integrators, in consultation with associated security personnel (including security engineers):
a. Create and implement a security test and evaluation plan;
b. Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process; and
c. Document the results of the security testing/evaluation and flaw remediation processes.

supplemental objective information:
Developmental security test results are used to the greatest extent feasible after verification of the results and recognizing that these results are impacted whenever there have been security-relevant modifications to the information system subsequent to developer testing. Test results may be used in support of the security authorization process for the delivered information system.

enhancements to the base objective:

(1) The organization requires that information system developers/integrators employ code analysis tools to examine software for common flaws and document the results of the analysis.

(2) The organization requires that information system developers/integrators perform a vulnerability analysis to document vulnerabilities, exploitation potential, and risk mitigations.

(3) The organization requires that information system developers/integrators create a security test and evaluation plan and implement the plan under the witness of an independent verification and validation agent.

mapping to FIPS199 baseline:

  LOW: null     MOD: base     HIGH: base  

related (regimented) controls:

CA-02   Security Assessments
SI-02   Flaw Remediation

documents referenced in SP800-53rev3 for SA-11:

Document Date Status Title
NIST SP800-76 September, 2006 DRAFT   Biometric Data Specification for Personal Identity Verification
NIST SP800-85A March, 2009 current   PIV Card Application and Middleware Interface Test Guidelines (SP800-73 compliance)
NIST SP800-85B July, 2006 current   PIV Data Model Test Guidelines

Search SP800-53rev3 catalog: