NIST 800-53 r5 · Controls catalogue · Family SA
SA-15Development Process, Standards, and Tools
Require the developer of the system, system component, or system service to follow a documented development process that: Explicitly addresses security and privacy requirements; Identifies the standards and tools used in the development process; Documents the specific tool options and tool configurations used in the development process; and Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and Review the development process, standards, tools, tool options, and tool configurations {{ insert: param, sa-15_odp.01 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ insert: param, sa-15_prm_2 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (14)
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.001 Default Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.003 Local Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1195.001 Compromise Software Dependencies and Development Tools Initial Access
- T1213.003 Code Repositories Collection
- T1528 Steal Application Access Token Credential Access
- T1552 Unsecured Credentials Credential Access
- T1552.001 Credentials In Files Credential Access
- T1552.002 Credentials in Registry Credential Access
- T1552.004 Private Keys Credential Access
- T1552.006 Group Policy Preferences Credential Access
- T1558.004 AS-REP Roasting Credential Access
- T1574.001 DLL Stealth, Execution
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-693 | Protection Mechanism Failure | 476 | Mandates review that the selected process, standards, and tools can satisfy security requirements, reducing failure of protection mechanisms in the delivered system. |
CWE-707 | Improper Neutralization | 242 | Enforces use of documented standards and tool configurations that address proper neutralization of inputs/outputs during development. |
CWE-703 | Improper Check or Handling of Exceptional Conditions | 146 | Standards and tools mandated by the process include proper handling of exceptional conditions that would otherwise be omitted. |
CWE-664 | Improper Control of a Resource Through its Lifetime | 39 | Requires a managed development lifecycle process with integrity controls on changes, improving control of resources throughout their lifetime. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Tool and standards review plus change-integrity requirements reduce selection and continued use of unmaintained third-party components. |
CWE-657 | Violation of Secure Design Principles | 19 | Directly requires a documented process that explicitly addresses security requirements and uses reviewed standards, preventing violations of secure design principles. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-40316 | 1.8 | 8.8 | 0.0006 | good |
CVE-2026-27143 | 2.0 | 9.8 | 0.0002 | good |
CVE-2025-70041 | 2.0 | 9.8 | 0.0006 | good |
CVE-2025-22867 | 1.5 | 7.5 | 0.0041 | good |
CVE-2026-26323 | 1.8 | 8.8 | 0.0006 | partial |
CVE-2025-54594 | 1.8 | 9.1 | 0.0011 | good |
CVE-2025-61732 | 1.7 | 8.6 | 0.0001 | partial |
CVE-2025-55263 | 1.5 | 7.3 | 0.0004 | partial |