TDA — Technology Development & Acquisition
70 controls in the Technology Development & Acquisition domain
TDA-01Technology Development & Acquisition
TDA-01.1Product Management
TDA-01.2Integrity Mechanisms for Software / Firmware Updates
TDA-01.3Malware Testing Prior to Release
TDA-01.4DevSecOps
TDA-02Minimum Viable Product (MVP) Security Requirements
TDA-02.1Ports, Protocols & Services In Use
TDA-02.2Information Assurance Enabled Products
TDA-02.3Development Methods, Techniques & Processes
TDA-02.4Pre-Established Secure Configurations
TDA-02.5Identification & Justification of Ports, Protocols & Services
TDA-02.6Insecure Ports, Protocols & Services
TDA-02.7Cybersecurity & Data Privacy Representatives For Product Changes
TDA-02.8Minimizing Attack Surfaces
TDA-02.9Ongoing Product Security Support
TDA-02.10Product Testing & Reviews
TDA-02.11Disclosure of Vulnerabilities
TDA-02.12Products With Digital Elements
TDA-02.13Reporting Exploitable Vulnerabilities
TDA-02.14Logging Syntax
TDA-03Commercial Off-The-Shelf (COTS) Security Solutions
TDA-03.1Supplier Diversity
TDA-04Documentation Requirements
TDA-04.1Functional Properties
TDA-04.2Software Bill of Materials (SBOM)
TDA-05Developer Architecture & Design
TDA-05.1Physical Diagnostic & Test Interfaces
TDA-05.2Diagnostic & Test Interface Monitoring
TDA-06Secure Software Development Practices (SSDP)
TDA-06.1Criticality Analysis
TDA-06.2Threat Modeling
TDA-06.3Software Assurance Maturity Model (SAMM)
TDA-06.4Supporting Toolchain
TDA-06.5Software Design Review
TDA-06.6Software Design Root Cause Analysis
TDA-07Secure Development Environments
TDA-08Separation of Development, Testing and Operational Environments
TDA-08.1Secure Migration Practices
TDA-09Cybersecurity & Data Protection Testing Throughout Development
TDA-09.1Continuous Monitoring Plan
TDA-09.2Static Code Analysis
TDA-09.3Dynamic Code Analysis
TDA-09.4Malformed Input Testing
TDA-09.5Application Penetration Testing
TDA-09.6Secure Settings By Default
TDA-09.7Manual Code Review
TDA-10Use of Live Data
TDA-10.1Test Data Integrity
TDA-11Product Tampering and Counterfeiting (PTC)
TDA-11.1Anti-Counterfeit Training
TDA-11.2Component Disposal
TDA-12Customized Development of Critical Components
TDA-13Developer Screening
TDA-14Developer Configuration Management
TDA-14.1Software / Firmware Integrity Verification
TDA-14.2Hardware Integrity Verification
TDA-15Developer Threat Analysis & Flaw Remediation
TDA-16Developer-Provided Training
TDA-17Unsupported Technology Assets, Applications and/or Services (TAAS)
TDA-17.1Alternate Sources for Continued Support
TDA-18Input Data Validation
TDA-19Error Handling
TDA-20Access to Program Source Code
TDA-20.1Software Release Integrity Verification
TDA-20.2Archiving Software Releases
TDA-20.3Software Escrow
TDA-20.4Approved Code
TDA-21Product Conformity Governance
TDA-22Technical Documentation Artifacts
TDA-22.1Product-Specific Risk Assessment Artifacts