Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SA

SA-11Developer Testing and Evaluation

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Develop and implement a plan for ongoing security and privacy control assessments; Perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }}; Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; Implement a verifiable flaw remediation process; and Correct flaws identified during testing and evaluation.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 7 mapping(s) from 2 framework(s): ASVS 5.0 5 (partial) · CSF 2.0 2 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (34)

Weaknesses this control addresses (10)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer14,364Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.
CWE-20Improper Input Validation13,701Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
CWE-284Improper Access Control5,367Explicit security control assessments verify proper access control enforcement, detecting weaknesses that the flaw remediation process then eliminates.
CWE-74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')4,965Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
CWE-287Improper Authentication4,908Authentication mechanism testing and evaluation during development identifies bypass or weakness conditions, with mandatory correction prior to system delivery.
CWE-400Uncontrolled Resource Consumption3,572Resource consumption and denial-of-service testing performed under the assessment plan detects uncontrolled allocation paths that are subsequently fixed.
CWE-502Deserialization of Untrusted Data3,432Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
CWE-754Improper Check for Unusual or Exceptional Conditions730Security testing routinely checks for unusual or exceptional inputs/conditions, identifying missing validation steps that flaw remediation then resolves.
CWE-693Protection Mechanism Failure613Assessments of security controls directly validate whether protection mechanisms function as intended, exposing failures for correction.
CWE-703Improper Check or Handling of Exceptional Conditions150Testing and evaluation exercises error paths and exceptional conditions, surfacing improper handling that is then remediated through the defined process.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2023-332427.09.60.0109good
CVE-2026-230765.57.10.0013partial
CVE-2026-316893.55.50.0011partial
CVE-2025-11252 UPD7.09.80.0039partial
CVE-2022-201407.09.80.0858partial
CVE-2026-228665.57.50.0018good
CVE-2026-229113.55.30.0048partial
CVE-2026-318970.00.00.0029partial

Other controls in family SA

SA-1 SA-10 SA-12 SA-13 SA-14 SA-15 SA-16 SA-17 SA-18 SA-19 SA-2 SA-20 SA-21 SA-22 SA-23 SA-24 SA-3 SA-4 SA-5 SA-6 SA-7 SA-8 SA-9