G.5 Assess and manage risk

Proactively analyzing, mitigating, and managing software supply chain risk and achieving the objectives of a software security program.

Controls

Identify critical system components and functions by performing a criticality analysis.

Record and track the software’s security risk-based exceptions and mitigation plans.

Provide the basis for the measurement of an effective plan for tracking and realizing software security objectives within an organization.

Make security decisions on software release based upon criteria for checking the security of the software.