Navigate

SA-11(2)

SA-11(2): Threat Modeling and Vulnerability Analyses

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:

(a): Uses the following contextual information: [information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used as contextual information for threat modeling and vulnerability analyses is defined;];

(b): Employs the following tools and methods: [the tools and methods to be employed for threat modeling and vulnerability analyses are defined;];

(c): Conducts the modeling and analyses at the following level of rigor: [one of ] ; and

(d): Produces evidence that meets the following acceptance criteria: [one of ].

Supplemental

Systems, system components, and system services may deviate significantly from the functional and design specifications created during the requirements and design stages of the system development life cycle. Therefore, updates to threat modeling and vulnerability analyses of those systems, system components, and system services during development and prior to delivery are critical to the effective operation of those systems, components, and services. Threat modeling and vulnerability analyses at this stage of the system development life cycle ensure that design and implementation changes have been accounted for and that vulnerabilities created because of those changes have been reviewed and mitigated.

CIA Levels
Confidentiality	high
Integrity	high
Availability	high

Overlays
DAF Baseline

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SA-11(2).

Control	Description
PM-15	Establish and institutionalize contact with selected groups and associations within the security and privacy communities: a: To facilitate ongoing security and privacy education and training for organizational personnel; b: To maintain currency with recommended security and privacy practices, techniques, and technologies; and c: To share current security and privacy information, including threats, vulnerabilities, and incidents.
RA-3	a: Conduct a risk assessment, including: 1: Identifying threats to and vulnerabilities in the system; 2: Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3: Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b: Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c: Document risk assessment results in [one of "security and privacy plans"/"risk assessment report"/"{{ insert: param, ra-03_odp.02 }} "]; d: Review risk assessment results [the frequency to review risk assessment results is defined;]; e: Disseminate risk assessment results to [personnel or roles to whom risk assessment results are to be disseminated is/are defined;] ; and f: Update the risk assessment [the frequency to update the risk assessment is defined;] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.
RA-5	a: Monitor and scan for vulnerabilities in the system and hosted applications [one of ] and when new vulnerabilities potentially affecting the system are identified and reported; b: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1: Enumerating platforms, software flaws, and improper configurations; 2: Formatting checklists and test procedures; and 3: Measuring vulnerability impact; c: Analyze vulnerability scan reports and results from vulnerability monitoring; d: Remediate legitimate vulnerabilities [response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;] in accordance with an organizational assessment of risk; e: Share information obtained from the vulnerability monitoring process and control assessments with [personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;] to help eliminate similar vulnerabilities in other systems; and f: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

Enhancements

The controls below (if any) add on to the requirements of SA-11(2).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-11(2).

CCI	Definition
CCI-003181	Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development.
CCI-003182	Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analysis during subsequent testing and evaluation of the system, component, or service.
CCI-004801	Use the following contextual information.
CCI-004802	Defines the information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels.
CCI-004803	Employ the following tools and methods.
CCI-004804	Defines the tools and methods to be employed.
CCI-004805	Conduct the modeling and analyses as the following level of rigor.
CCI-004806	Defines the breadth and depth of modeling and analyses the level of rigor will be conducted.
CCI-004807	Produces evidence that meets the following acceptance criteria.
CCI-004808	Defines the acceptance criteria that meets the requirement for producing evidence.