Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analysis during subsequent testing and evaluation of the system, component, or service.