SA-10: Developer Configuration Management
From NIST's SP800-53:
Require the developer of the system, system component, or system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation; disposal]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| PR.IP-2 | A System Development Life Cycle to manage systems is implemented |
| PR.DS-8 | Integrity checking mechanisms are used to verify hardware integrity |
| PR.IP-1 | A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) |
| PR.IP-3 | Configuration change control processes are in place |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1505.004 | IIS Components | Persistence |
| T1505.002 | Transport Agent | Persistence |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1553.006 | Code Signing Policy Modification | Defense Evasion |
| T1542.003 | Bootkit | Defense Evasion, Persistence |
| T1213.003 | Code Repositories | Collection |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1559.003 | XPC Services | Execution |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1647 | Plist File Modification | Defense Evasion |
| T1495 | Firmware Corruption | Impact |
| T1505 | Server Software Component | Persistence |
| T1564.009 | Resource Forking | Defense Evasion |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1078.001 | Default Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1505.001 | SQL Stored Procedures | Persistence |
| T1542.001 | System Firmware | Defense Evasion, Persistence |
| T1601 | Modify System Image | Defense Evasion |
| T1195.003 | Compromise Hardware Supply Chain | Initial Access |
| T1601.001 | Patch System Image | Defense Evasion |
| T1553 | Subvert Trust Controls | Defense Evasion |