SA-15: Development Process, Standards, and Tools

From NIST's SP800-53:

a. Require the developer of the system, system component, or system service to follow a documented development process that: 1. Explicitly addresses security and privacy requirements; 2. Identifies the standards and tools used in the development process; 3. Documents the specific tool options and tool configurations used in the development process; and 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b. Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements].

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

SP800-53 Control Mapped to NIST Cyber Security Framework

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Control ID	Description
ID.SC-2	Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process
PR.IP-2	A System Development Life Cycle to manage systems is implemented

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against.

ATT&CK ID	Title	Associated Tactics
T1528	Steal Application Access Token	Credential Access
T1078.003	Local Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1552.001	Credentials In Files	Credential Access
T1552.004	Private Keys	Credential Access
T1078.004	Cloud Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1213.003	Code Repositories	Collection
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1574.002	DLL Side-Loading	Defense Evasion, Persistence, Privilege Escalation
T1552.006	Group Policy Preferences	Credential Access
T1078.001	Default Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1558.004	AS-REP Roasting	Credential Access
T1552	Unsecured Credentials	Credential Access
T1552.002	Credentials in Registry	Credential Access