NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-15(1)Quality Metrics

Require the developer of the system, system component, or system service to: Define quality metrics at the beginning of the development process; and Provide evidence of meeting the quality metrics {{ insert: param, sa-15.01_odp.01 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organizations use quality metrics to establish acceptable levels of system quality. Metrics can include quality gates, which are collections of completion criteria or sufficiency standards that represent the satisfactory execution of specific phases of the system development project. For example, a quality gate may require the elimination of all compiler warnings or a determination that such warnings have no impact on the effectiveness of required security or privacy capabilities. During the execution phases of development projects, quality gates provide clear, unambiguous indications of progress. Other metrics apply to the entire development project. Metrics can include defining the severity thresholds of vulnerabilities in accordance with organizational risk tolerance, such as requiring no known vulnerabilities in the delivered system with a Common Vulnerability Scoring System (CVSS) severity of medium or high.

Practitioner Notes

Define and track quality metrics for your development process, including metrics that indicate the security quality of the code being produced.

Example 1: Track security-relevant quality metrics: number of security findings per release, time to fix security findings, percentage of findings found by automated tools vs. manual review, and escaped defects (security issues found in production that should have been caught in development).

Example 2: Use your SAST tool's reporting features to trend security findings over time. If the number of critical findings per 1,000 lines of code is increasing, it indicates a quality problem in the development process. Set targets for improvement and track progress in your development metrics dashboard.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment