Navigate

SA-15 (8)

SA-15 (8): Reuse Of Threat / Vulnerability Information

The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.

Supplemental

Analysis of vulnerabilities found in similar software applications can inform potential design or implementation issues for information systems under development. Similar information systems or system components may exist within developer organizations. Authoritative vulnerability information is available from a variety of public and private sector sources including, for example, the National Vulnerability Database.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Cross Domain (Access), Cross Domain (Multilevel), Cross Domain (Transfer), NC3

Related Controls

The controls below (if any) were marked by NIST as being related to SA-15 (8).

Control	Description
No controls

Enhancements

The controls below (if any) add on to the requirements of SA-15 (8).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-15 (8).

CCI	Definition
CCI-003281	The organization requires the developer of the information system, system component, or information system service to use threat modeling from similar systems, components, or services to inform the current development process.
CCI-003282	The organization requires the developer of the information system, system component, or information system service to use vulnerability analysis from similar systems, components, or services to inform the current development process.