STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

SA-11 (4)

System and Services AcquisitionRev 5organization

Developer Testing and Evaluation

Control Statement

Require the developer of the system, system component, or system service to perform a manual code review of [Assignment: specific code] using the following processes, procedures, and/or techniques: [Assignment: processes, procedures, and/or techniques].

Supplemental Guidance

Manual code reviews are usually reserved for the critical software and firmware components of systems. Manual code reviews are effective at identifying weaknesses that require knowledge of the application’s requirements or context that, in most cases, is unavailable to automated analytic tools and techniques, such as static and dynamic analysis. The benefits of manual code review include the ability to verify access control matrices against application controls and review detailed aspects of cryptographic implementations and controls.

CCI Identifiers (3)

CCI-003188Defines the specific code for which the developer of the system, system component, or system service is required to perform a manual code review using organization-defined process, procedures, and/or techniques.CCI-003189Defines the processes, procedures, and/or techniques to be used by the developer of the system, system component, or system service to perform a manual code review of organization-defined specific code.CCI-003187Require the developer of the system, system component, or system service to perform a manual code review of organization-defined specific code using organization-defined processes, procedures, and/or techniques.

Linked STIG Checks (2)

Across 1 STIGs. Click to expand.