CCI-003181

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development.

Implementation Guidance

The organization being inspected/assessed requires the developer to document and perform threat and vulnerability analysis to ensure that design or implementation changes, and resulting vulnerabilities, are accounted for early in the life cycle. Threat analysis may be performed through the use of open source threat information. Vulnerability analyses should be informed by system design documentation and may include static analyses, dynamic analyses, simulations, and penetration testing. The developer must document the type of vulnerability analysis that was performed, the results (including defects) and any follow on actions.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service perform threat and vulnerability analysis.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation must require implementation of developer-created threat and vulnerability analysis.

The controls below (if any) were marked by NIST as being related to CCI-003181.