Navigate

CCI-003258

CCI-003258 Definition

The organization defines the breadth/depth at which threat modeling for the information system must be performed by developers.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed requires within contracts/agreements that the developers perform threat modeling for the information system at the breadth/depth defined in SA-15 (4), CCI 3258.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developers perform threat modeling for the information system at the breadth/depth defined in SA-15 (4), CCI 3258.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan defining breadth/depth that threat modeling for the information system must be performed by developers.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003258.

Control	Description
SA-15 (4)	The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that: SA-15 (4)(a): Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; SA-15 (4)(b): Employs [Assignment: organization-defined tools and methods]; and SA-15 (4)(c): Produces evidence that meets [Assignment: organization-defined acceptance criteria].

Control

Description

SA-15 (4)

The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:

SA-15 (4)(a): Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];

SA-15 (4)(b): Employs [Assignment: organization-defined tools and methods]; and

SA-15 (4)(c): Produces evidence that meets [Assignment: organization-defined acceptance criteria].