NIST 800-53 SA-11 Mappings

Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.

Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
SA-11 Developer Testing and Evaluation Protects T1078.004 Cloud Accounts
SA-11 Developer Testing and Evaluation Protects T1213.003 Code Repositories
SA-11 Developer Testing and Evaluation Protects T1495 Firmware Corruption
SA-11 Developer Testing and Evaluation Protects T1505 Server Software Component
SA-11 Developer Testing and Evaluation Protects T1078.001 Default Accounts
SA-11 Developer Testing and Evaluation Protects T1078.003 Local Accounts
SA-11 Developer Testing and Evaluation Protects T1134.005 SID-History Injection
SA-11 Developer Testing and Evaluation Protects T1505.001 SQL Stored Procedures
SA-11 Developer Testing and Evaluation Protects T1505.002 Transport Agent
SA-11 Developer Testing and Evaluation Protects T1505.004 IIS Components
SA-11 Developer Testing and Evaluation Protects T1542 Pre-OS Boot
SA-11 Developer Testing and Evaluation Protects T1542.001 System Firmware
SA-11 Developer Testing and Evaluation Protects T1542.003 Bootkit
SA-11 Developer Testing and Evaluation Protects T1542.004 ROMMONkit
SA-11 Developer Testing and Evaluation Protects T1542.005 TFTP Boot
SA-11 Developer Testing and Evaluation Protects T1552 Unsecured Credentials
SA-11 Developer Testing and Evaluation Protects T1552.001 Credentials In Files
SA-11 Developer Testing and Evaluation Protects T1552.002 Credentials in Registry
SA-11 Developer Testing and Evaluation Protects T1552.004 Private Keys
SA-11 Developer Testing and Evaluation Protects T1552.006 Group Policy Preferences
SA-11 Developer Testing and Evaluation Protects T1553 Subvert Trust Controls
SA-11 Developer Testing and Evaluation Protects T1553.006 Code Signing Policy Modification
SA-11 Developer Testing and Evaluation Protects T1558.004 AS-REP Roasting
SA-11 Developer Testing and Evaluation Protects T1574.002 DLL Side-Loading
SA-11 Developer Testing and Evaluation Protects T1601 Modify System Image
SA-11 Developer Testing and Evaluation Protects T1601.001 Patch System Image
SA-11 Developer Testing and Evaluation Protects T1601.002 Downgrade System Image
SA-11 Developer Testing and Evaluation Protects T1612 Build Image on Host
SA-11 Developer Testing and Evaluation Protects T1078 Valid Accounts
SA-11 Developer Testing and Evaluation Protects T1195.003 Compromise Hardware Supply Chain
SA-11 Developer Testing and Evaluation Protects T1528 Steal Application Access Token
SA-11 Developer Security Testing And Evaluation Protects T1559.003 XPC Services
SA-11 Developer Security Testing And Evaluation Protects T1647 Plist File Modification