Navigate

CCI-003264

CCI-003264 Definition

The organization requires the threat modeling performed by the developers employ organization-defined tools and methods.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed requires within contracts/agreements that the threat modeling performed by the developers employ the tools and methods defined in SA-15 (4), CCI 3266.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the threat modeling performed by the developers employ the tools and methods defined in SA-15 (4), CCI 3266.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan requiring the threat modeling performed by developers employ organization-defined tools and methods.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003264.

Control	Description
SA-15(4)	The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [one of ] that: (a): Uses [one of ]; (b): Employs [one of ]; and (c): Produces evidence that meets [one of ].