NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-15(2)Security and Privacy Tracking Tools

Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

System development teams select and deploy security and privacy tracking tools, including vulnerability or work item tracking systems that facilitate assignment, sorting, filtering, and tracking of completed work items or tasks associated with development processes.

Practitioner Notes

Use tracking tools to manage security and privacy requirements, findings, and remediation throughout the development process.

Example 1: Use Azure DevOps Work Items or Jira tickets to track security requirements alongside functional requirements. Tag security-related items so they can be filtered and reported on separately. Track each security requirement through design, implementation, testing, and verification.

Example 2: Configure your SAST/DAST tools to automatically create tickets in your issue tracker when new findings are detected. This ensures findings enter the development workflow automatically and are tracked through resolution, rather than sitting in a scanner report that nobody reads.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment