SA-15(5)—Development Process, Standards, And Tool

PBMM (P3)

Secret (P3)

Management

>Control Description

DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | ATTACK SURFACE REDUCTION The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to ⚙organization-defined thresholds.

>Supplemental Guidance

Attack surface reduction is closely aligned with developer threat and vulnerability analyses and information system architecture and design. Attack surface reduction is a means of reducing risk to organizations by giving attackers less opportunity to exploit weaknesses or deficiencies (i.e., potential vulnerabilities) within information systems, information system components, and information system services. Attack surface reduction includes, for example, applying the principle of least privilege, employing layered defences, applying the principle of least functionality (i.e., restricting ports, protocols, functions, and services), deprecating unsafe functions, and eliminating application programming interfaces (APIs) that are vulnerable to cyber-attacks.

Related control: CM-7.

>Tailoring Guidance

Apply to custom developed systems or components.

Ask AI

Configure your API key to use AI features.