NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-15(8)Reuse of Threat and Vulnerability Information

Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Analysis of vulnerabilities found in similar software applications can inform potential design and implementation issues for systems under development. Similar systems or system components may exist within developer organizations. Vulnerability information is available from a variety of public and private sector sources, including the NIST National Vulnerability Database.

Practitioner Notes

Reuse threat and vulnerability information from previous projects, industry databases, and external sources to improve the security of new development. Do not start every project's threat analysis from scratch.

Example 1: Maintain a lessons-learned database that records vulnerability patterns found in previous projects. If SQL injection has been found in three past projects, new projects should specifically test for it and use parameterized queries from the start.

Example 2: Use MITRE CWE (Common Weakness Enumeration) and OWASP Top 10 as starting points for threat modeling and testing. These curated lists represent the most common vulnerability patterns and save you from rediscovering well-known risks. Map your coding standards and test cases directly to these references.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment