NIST 800-53 r5 · Controls catalogue · Family SA
SA-3System Development Life Cycle
Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations; Define and document information security and privacy roles and responsibilities throughout the system development life cycle; Identify individuals having information security and privacy roles and responsibilities; and Integrate the organizational information security and privacy risk management process into system development life cycle activities.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (6)
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.001 Default Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.003 Local Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1213.003 Code Repositories Collection
- T1574.001 DLL Stealth, Execution
Weaknesses this control addresses (9)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Requiring security roles and risk processes throughout the SDLC ensures that authorization checks are identified as requirements and implemented for every sensitive operation. |
CWE-284 | Improper Access Control | 4,832 | Defining security roles/responsibilities and integrating risk management into the SDLC directly reduces improper access control by ensuring access decisions are designed and reviewed throughout development. |
CWE-287 | Improper Authentication | 4,730 | Requiring explicit security roles and risk integration in the SDLC forces authentication mechanisms to be planned, documented, and validated instead of omitted or weakly implemented. |
CWE-798 | Use of Hard-coded Credentials | 1,955 | Integrating risk management and security responsibilities into the SDLC makes use of hard-coded credentials visible during design and code reviews, reducing their introduction. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Documented roles, responsibilities, and continuous risk management in the SDLC ensure that default and runtime permissions for critical resources are deliberately assigned and reviewed. |
CWE-285 | Improper Authorization | 1,230 | Incorporating security considerations and risk management into every SDLC phase ensures authorization logic is properly specified, implemented, and tested rather than added ad hoc. |
CWE-311 | Missing Encryption of Sensitive Data | 552 | Privacy and security considerations mandated across the SDLC make identification and protection of sensitive data (including encryption decisions) a required activity rather than an afterthought. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Acquisition and development under a security-aware SDLC includes evaluation of third-party components for maintenance status and known weaknesses before integration. |
CWE-657 | Violation of Secure Design Principles | 19 | The control explicitly requires adoption of an SDLC that incorporates security considerations, directly preventing violation of established secure design principles. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||