P-SSCRM Documentation

G.5.2 Track security risks and decisions

Control Details

Objective

Record and track the software’s security risk-based exceptions and mitigation plans.

Definition

Record when a design tradeoff, vulnerability decision/exception, or component choice has been made that incurs security risk and a mitigation plan to reduce that risk including with vendors. Periodically re-evaluate these exceptions and mitigation plans, potentially including a review board that can provide security guidance in design guidance, patterns, standards, features, and frameworks.

Assessment Questions

  1. How are the responses to security risks and design decisions recorded, including how mitigations are to be achieved?
  2. How are approved exceptions to the security requirements periodically evaluated?

Reference sources

  1. EO 4e(v)
  2. SSDF PW.1.2
  3. BSIMM SFD3.1 SM3.5
  4. OSPS OSPS-SA-03