Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SA

SA-3System Development Life Cycle

Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations; Define and document information security and privacy roles and responsibilities throughout the system development life cycle; Identify individuals having information security and privacy roles and responsibilities; and Integrate the organizational information security and privacy risk management process into system development life cycle activities.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 13 mapping(s) from 3 framework(s): ASVS 5.0 10 (partial) · CSF 2.0 2 (mostly) · OWASP-Web 1 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (2)

ATT&CK techniques this control mitigates (6)

Weaknesses this control addresses (9)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-862Missing Authorization9,346Requiring security roles and risk processes throughout the SDLC ensures that authorization checks are identified as requirements and implemented for every sensitive operation.
CWE-284Improper Access Control5,367Defining security roles/responsibilities and integrating risk management into the SDLC directly reduces improper access control by ensuring access decisions are designed and reviewed throughout development.
CWE-287Improper Authentication4,908Requiring explicit security roles and risk integration in the SDLC forces authentication mechanisms to be planned, documented, and validated instead of omitted or weakly implemented.
CWE-798Use of Hard-coded Credentials2,013Integrating risk management and security responsibilities into the SDLC makes use of hard-coded credentials visible during design and code reviews, reducing their introduction.
CWE-732Incorrect Permission Assignment for Critical Resource1,874Documented roles, responsibilities, and continuous risk management in the SDLC ensure that default and runtime permissions for critical resources are deliberately assigned and reviewed.
CWE-285Improper Authorization1,356Incorporating security considerations and risk management into every SDLC phase ensures authorization logic is properly specified, implemented, and tested rather than added ad hoc.
CWE-311Missing Encryption of Sensitive Data554Privacy and security considerations mandated across the SDLC make identification and protection of sensitive data (including encryption decisions) a required activity rather than an afterthought.
CWE-1104Use of Unmaintained Third Party Components21Acquisition and development under a security-aware SDLC includes evaluation of third-party components for maintenance status and known weaknesses before integration.
CWE-657Violation of Secure Design Principles19The control explicitly requires adoption of an SDLC that incorporates security considerations, directly preventing violation of established secure design principles.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family SA

SA-1 SA-10 SA-11 SA-12 SA-13 SA-14 SA-15 SA-16 SA-17 SA-18 SA-19 SA-2 SA-20 SA-21 SA-22 SA-23 SA-24 SA-4 SA-5 SA-6 SA-7 SA-8 SA-9