SA-11

Developer Security Testing and Evaluation

System and Services Acquisition

The organization requires the developer of the information system, system component, or information system service to create and implement a security assessment plan.

Medium PriorityAI-Relevant Control

Purpose

Ensure that security testing is performed during system development and acquisition.

AI Relevance

Essential for ensuring AI systems and models are developed with security in mind and undergo proper security testing.

Implementation Guidance

Establish security testing requirements, review security assessment plans, and validate security testing results.

Assessment

Review security assessment plans, verify security testing results, test security controls, and validate security assessments.

Requirements

  • 1Require the developer to create a security assessment plan
  • 2Require the developer to implement a security assessment plan
  • 3Require the developer to perform security testing
  • 4Require the developer to perform security evaluation
  • 5Require the developer to perform security assessment
  • 6Require the developer to perform security validation
  • 7Require the developer to perform security verification
  • 8Require the developer to perform security certification
  • 9Require the developer to perform security accreditation
  • 10Require the developer to perform security authorization

Related Controls

SA-10: SA-10SA-12: SA-12SA-15: SA-15SA-17: SA-17

References

NIST SP 800-53 Rev 5NIST Cybersecurity Framework

Framework Context

NIST 800-53 Rev 5

Security and Privacy Controls for Federal Information Systems

Official Documentation →

NIST AI RMF

AI Risk Management Framework

AI RMF Documentation →

OWASP AISVS

AI Security Verification Standard

AISVS Documentation →