G.5.4 Data-informed product decisions

Control Details

Objective

Make security decisions on software release based upon criteria for checking the security of the software.

Definition

Implement processes and mechanisms, automated when possible, to gather and safeguard information in support of security decision-making at the product level. This information can be used to drive SDLC change at the product or organizational level and/or drive a security risk exception process.

Assessment Questions

1. How do you use information from your toolchain to informs security decision-making automatically?
2. If not, is this information collected and reviewed manually?

Reference sources

1. EO 4e(iv) 4e(v)
2. SSDF PO.4.2
3. BSIMM SM1.4 SM1.7
4. 800-161 SA-15
5. Self-attestation 4
6. SAMM G-SM-3-B
7. OSPS OSPS-QA-03 OSPS-QA-04 OSPS-VM-05 OSPS-VM-06