NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-11(6)Attack Surface Reviews

Require the developer of the system, system component, or system service to perform attack surface reviews.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Attack surfaces of systems and system components are exposed areas that make those systems more vulnerable to attacks. Attack surfaces include any accessible areas where weaknesses or deficiencies in the hardware, software, and firmware components provide opportunities for adversaries to exploit vulnerabilities. Attack surface reviews ensure that developers analyze the design and implementation changes to systems and mitigate attack vectors generated as a result of the changes. The correction of identified flaws includes deprecation of unsafe functions.

Practitioner Notes

Attack surface reviews examine all the ways an attacker could potentially interact with your system — open ports, exposed APIs, user interfaces, file upload points — and work to reduce them.

Example 1: After each development sprint, review the application's attack surface: new endpoints, new input fields, new file handlers, new integrations. For each new surface area, verify that appropriate security controls (input validation, authentication, authorization) are in place.

Example 2: Use Microsoft Defender External Attack Surface Management to continuously discover and monitor your organization's internet-facing assets. The tool identifies exposed services, open ports, and vulnerable technologies from an attacker's perspective. Review findings weekly and eliminate unnecessary exposure.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment