Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SA

SA-15Development Process, Standards, and Tools

Require the developer of the system, system component, or system service to follow a documented development process that: Explicitly addresses security and privacy requirements; Identifies the standards and tools used in the development process; Documents the specific tool options and tool configurations used in the development process; and Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and Review the development process, standards, tools, tool options, and tool configurations {{ insert: param, sa-15_odp.01 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ insert: param, sa-15_prm_2 }}.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 22 mapping(s) from 2 framework(s): ASVS 5.0 21 (partial) · CSF 2.0 1 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (14)

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-693Protection Mechanism Failure613Mandates review that the selected process, standards, and tools can satisfy security requirements, reducing failure of protection mechanisms in the delivered system.
CWE-707Improper Neutralization253Enforces use of documented standards and tool configurations that address proper neutralization of inputs/outputs during development.
CWE-703Improper Check or Handling of Exceptional Conditions150Standards and tools mandated by the process include proper handling of exceptional conditions that would otherwise be omitted.
CWE-664Improper Control of a Resource Through its Lifetime42Requires a managed development lifecycle process with integrity controls on changes, improving control of resources throughout their lifetime.
CWE-1104Use of Unmaintained Third Party Components21Tool and standards review plus change-integrity requirements reduce selection and continued use of unmaintained third-party components.
CWE-657Violation of Secure Design Principles19Directly requires a documented process that explicitly addresses security requirements and uses reviewed standards, preventing violations of secure design principles.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2026-403165.58.80.0041good
CVE-2026-271437.09.80.0054good
CVE-2025-700417.09.80.0044good
CVE-2025-228675.57.50.0059good
CVE-2026-218975.57.30.0026partial
CVE-2023-264935.58.10.0291good
CVE-2025-54594 UPD7.09.10.0043good
CVE-2025-552635.57.30.0019partial
CVE-2026-263235.58.80.0171partial
CVE-2025-61732 UPD5.58.60.0047partial
CVE-2026-262675.57.50.0032partial
CVE-2026-316893.55.50.0011partial

Other controls in family SA

SA-1 SA-10 SA-11 SA-12 SA-13 SA-14 SA-16 SA-17 SA-18 SA-19 SA-2 SA-20 SA-21 SA-22 SA-23 SA-24 SA-3 SA-4 SA-5 SA-6 SA-7 SA-8 SA-9