NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-11(4)Manual Code Reviews

Require the developer of the system, system component, or system service to perform a manual code review of {{ insert: param, sa-11.04_odp.01 }} using the following processes, procedures, and/or techniques: {{ insert: param, sa-11.04_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Manual code reviews are usually reserved for the critical software and firmware components of systems. Manual code reviews are effective at identifying weaknesses that require knowledge of the application’s requirements or context that, in most cases, is unavailable to automated analytic tools and techniques, such as static and dynamic analysis. The benefits of manual code review include the ability to verify access control matrices against application controls and review detailed aspects of cryptographic implementations and controls.

Practitioner Notes

Manual code reviews have humans examine source code for security issues that automated tools may miss — logic errors, business logic flaws, race conditions, and design weaknesses.

Example 1: Require manual security-focused code reviews for all code that handles authentication, authorization, cryptography, user input processing, and sensitive data. Use an OWASP-based code review checklist to ensure reviewers check for common vulnerability patterns.

Example 2: In your Git workflow, require at least one security-trained reviewer to approve pull requests that touch security-sensitive code paths. Use CODEOWNERS files to automatically assign security reviewers when changes are made to authentication, encryption, or access control modules.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment