Navigate

SA-11 (6)

SA-11 (6): Attack Surface Reviews

The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.

Supplemental

Attack surfaces of information systems are exposed areas that make those systems more vulnerable to cyber attacks. This includes any accessible areas where weaknesses or deficiencies in information systems (including the hardware, software, and firmware components) provide opportunities for adversaries to exploit vulnerabilities. Attack surface reviews ensure that developers: (i) analyze both design and implementation changes to information systems; and (ii) mitigate attack vectors generated as a result of the changes. Correction of identified flaws includes, for example, deprecation of unsafe functions.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Cross Domain (Access), Cross Domain (Multilevel), Cross Domain (Transfer), NC3

Related Controls

The controls below (if any) were marked by NIST as being related to SA-11 (6).

Control	Description
No controls

Enhancements

The controls below (if any) add on to the requirements of SA-11 (6).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-11 (6).

CCI	Definition
CCI-003193	The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.