STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

SA-15 (4)

System and Services AcquisitionRev 5Withdrawn

Threat Modeling and Vulnerability Analysis

This control has been withdrawn and incorporated into: SA-11 (2)

CCI Identifiers (16)

CCI-003263The organization defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform a vulnerability analysis for the information system by the developer.CCI-003266The organization defines tools and methods to be employed to perform threat modeling for the information system by the developer.CCI-003267The organization defines tools and methods to be employed to perform a vulnerability analysis for the information system by the developer.CCI-003268The organization requires that developers performing threat modeling for the information system produce evidence that meets organization-defined acceptance criteria.CCI-003271The organization defines the acceptance criteria that must be met when vulnerability analysis of the information system is performed by the developer.CCI-003261Vulnerability analysis performed by the developer for the information system uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels.CCI-003264The organization requires the threat modeling performed by the developers employ organization-defined tools and methods.CCI-003270The organization defines the acceptance criteria that must be met when threat modeling of the information system is performed by the developer.CCI-003259The organization defines the breadth/depth at which vulnerability analysis for the information system must be performed by developers.CCI-003262The organization defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform threat modeling for the information system by the developer.CCI-003265The organization requires the vulnerability analysis performed by the developers employ organization-defined tools and methods.CCI-003260Threat modeling performed by the developer for the information system uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels.CCI-003269The organization requires that developers performing vulnerability analysis for the information system produce evidence that meets organization-defined acceptance criteria.CCI-003258The organization defines the breadth/depth at which threat modeling for the information system must be performed by developers.CCI-003256The organization requires that developers perform threat modeling for the information system at an organization-defined breadth/depth.CCI-003257The organization requires that developers perform a vulnerability analysis for the information system at an organization-defined breadth/depth.

Linked STIG Checks (1)

Across 1 STIGs. Click to expand.