STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

SA-11

System and Services AcquisitionRev 5organization

Developer Testing and Evaluation

Baselines:ModerateHighPrivacy

Control Statement

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:

Supplemental Guidance

Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches. Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation.

Related Controls (13)

CA-2CA-7CM-4SA-3SA-4SA-5SA-8SA-15SA-17SI-2SR-5SR-6SR-7

CCI Identifiers (21)

CCI-000707The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process.CCI-000704The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to create a security test and evaluation plan.CCI-000705The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to implement a security test and evaluation plan.CCI-000706The organization requires information system developers, in consultation with associated security personnel (including security engineers), to implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process.CCI-000702The organization requires information system developers, in consultation with associated security personnel (including security engineers), to create a security test and evaluation plan.CCI-000703The organization requires information system developers, in consultation with associated security personnel (including security engineers), to implement a security test and evaluation plan.

Linked STIG Checks (3)

Across 1 STIGs. Click to expand.

CCI-000708
The organization requires information system developers, in consultation with associated security personnel (including security engineers), to document the results of the security testing/evaluation processes.
CCI-000709The organization requires information system developers, in consultation with associated security personnel (including security engineers), to document the results of the security flaw remediation processes.
CCI-000710The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to document the results of the security testing/evaluation processes.
CCI-003173Requires the developer of the system, system component, or system service, at all post-design phases of the system development life cycle, to perform unit, integration, system, and/or regression testing/evaluation on an organization-defined frequency, at an organization-defined depth and coverage.
CCI-003175Requires the developer of the system, system component, or system service, at all post-design phases of the system development life cycle, to produce evidence of the execution of the assessment plan.
CCI-003176Requires the developer of the system, system component, or system service, at all post-design phases of the system development life cycle, to produce the results of the testing and evaluation.
CCI-003177Requires the developer of the system, system component, or system service, at all post-design phases of the system development life cycle, to implement a verifiable flaw remediation process.
CCI-003178Requires the developer of the system, system component, or system service, at all post-design phases of the system development life cycle, to correct flaws identified during testing/evaluation.
CCI-004798Require the developer of the system, system component, or system service, at all post-design phases of the system development life cycle, to develop a plan for ongoing privacy control assessment.
CCI-004799Require the developer of the system, system component, or system service to implement a plan for ongoing privacy control assessment.
CCI-004800Defines the frequency that the unit, integration, system, and/or regression testing/evaluation is performed at an organization-defined depth and coverage.
CCI-000711The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to document the results of the security flaw remediation processes.
CCI-003171Require the developer of the system, system component, or system service, at all post-design phases of the system development life cycle, to develop a plan for ongoing security control assessment.
CCI-003172Require the developer of the system, system component, or system service to implement a plan for ongoing security control assessment.
CCI-003174Defines the depth and coverage at which to perform unit, integration, system, and/or regression testing/evaluation on an organization-defined frequency.