Navigate

SA-15(4)

SA-15(4): Threat Modeling / Vulnerability Analysis

The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [organization-defined breadth/depth] that:

(a): Uses [organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];

(b): Employs [organization-defined tools and methods]; and

(c): Produces evidence that meets [organization-defined acceptance criteria].

Supplemental

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SA-15(4).

Control	Description
SA-4	The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: a: Security functional requirements; b: Security strength requirements; c: Security assurance requirements; d: Security-related documentation requirements; e: Requirements for protecting security-related documentation; f: Description of the information system development environment and environment in which the system is intended to operate; and g: Acceptance criteria.

Control

Description

SA-4

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

a: Security functional requirements;

b: Security strength requirements;

c: Security assurance requirements;

d: Security-related documentation requirements;

e: Requirements for protecting security-related documentation;

f: Description of the information system development environment and environment in which the system is intended to operate; and

g: Acceptance criteria.

Enhancements

The controls below (if any) add on to the requirements of SA-15(4).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-15(4).

CCI	Definition
CCI-003256	The organization requires that developers perform threat modeling for the information system at an organization-defined breadth/depth.
CCI-003257	The organization requires that developers perform a vulnerability analysis for the information system at an organization-defined breadth/depth.
CCI-003258	The organization defines the breadth/depth at which threat modeling for the information system must be performed by developers.
CCI-003259	The organization defines the breadth/depth at which vulnerability analysis for the information system must be performed by developers.
CCI-003260	Threat modeling performed by the developer for the information system uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels.
CCI-003261	Vulnerability analysis performed by the developer for the information system uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels.
CCI-003262	The organization defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform threat modeling for the information system by the developer.
CCI-003263	The organization defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform a vulnerability analysis for the information system by the developer.
CCI-003264	The organization requires the threat modeling performed by the developers employ organization-defined tools and methods.
CCI-003265	The organization requires the vulnerability analysis performed by the developers employ organization-defined tools and methods.
CCI-003266	The organization defines tools and methods to be employed to perform threat modeling for the information system by the developer.
CCI-003267	The organization defines tools and methods to be employed to perform a vulnerability analysis for the information system by the developer.
CCI-003268	The organization requires that developers performing threat modeling for the information system produce evidence that meets organization-defined acceptance criteria.
CCI-003269	The organization requires that developers performing vulnerability analysis for the information system produce evidence that meets organization-defined acceptance criteria.
CCI-003270	The organization defines the acceptance criteria that must be met when threat modeling of the information system is performed by the developer.
CCI-003271	The organization defines the acceptance criteria that must be met when vulnerability analysis of the information system is performed by the developer.