NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-15(5) — Attack Surface Reduction
Require the developer of the system, system component, or system service to reduce attack surfaces to {{ insert: param, sa-15.05_odp }}.
Supplemental Guidance
Attack surface reduction is closely aligned with threat and vulnerability analyses and system architecture and design. Attack surface reduction is a means of reducing risk to organizations by giving attackers less opportunity to exploit weaknesses or deficiencies (i.e., potential vulnerabilities) within systems, system components, and system services. Attack surface reduction includes implementing the concept of layered defenses, applying the principles of least privilege and least functionality, applying secure software development practices, deprecating unsafe functions, reducing entry points available to unauthorized users, reducing the amount of code that executes, and eliminating application programming interfaces (APIs) that are vulnerable to attacks.
Practitioner Notes
Actively work to reduce the attack surface of systems during development. Every unnecessary feature, open port, and exposed interface is potential attack surface that must be defended.
Example 1: During design reviews, challenge every exposed interface: Does this API endpoint need to be public? Does this feature need to be enabled by default? Can we reduce the permissions this service needs? Remove every interface, feature, and privilege that is not explicitly required.
Example 2: Use container images with minimal base images (Alpine Linux, distroless) rather than full OS images. A minimal image has fewer installed packages, fewer potential vulnerabilities, and a smaller attack surface. Scan your container images with Trivy or Snyk to identify and remove unnecessary components.