Skip to main content
TDA

Technology Development & Acquisition

70 controls

Develop and/or acquire systems, applications and services according to a Secure Software Development Framework (SSDF) to reduce the potential impact of undetected or unaddressed vulnerabilities and design flaws.

SCF # Control Name Weight NIST CSF Frameworks
TDA-01 Technology Development & Acquisition 10 — Critical Govern 108
TDA-01.1 Product Management 10 — Critical Protect 48
TDA-01.2 Integrity Mechanisms for Software / Firmware Updates 5 — Medium Protect 11
TDA-01.3 Malware Testing Prior to Release 9 — Critical Protect 5
TDA-01.4 DevSecOps 6 — Medium Protect 4
TDA-02 Minimum Viable Product (MVP) Security Requirements 9 — Critical Protect 70
TDA-02.1 Ports, Protocols & Services In Use 8 — High Protect 34
TDA-02.2 Information Assurance Enabled Products 2 — Low Protect 35
TDA-02.3 Development Methods, Techniques & Processes 5 — Medium Identify 39
TDA-02.4 Pre-Established Secure Configurations 8 — High Protect 20
TDA-02.5 Identification & Justification of Ports, Protocols & Services 8 — High Identify 8
TDA-02.6 Insecure Ports, Protocols & Services 9 — Critical Protect 11
TDA-02.7 Cybersecurity & Data Privacy Representatives For Product Changes 10 — Critical Identify 9
TDA-02.8 Minimizing Attack Surfaces 9 — Critical Protect 3
TDA-02.9 Ongoing Product Security Support 9 — Critical Protect 4
TDA-02.10 Product Testing & Reviews 9 — Critical Protect 3
TDA-02.11 Disclosure of Vulnerabilities 5 — Medium Protect 6
TDA-02.12 Products With Digital Elements 6 — Medium Protect 1
TDA-02.13 Reporting Exploitable Vulnerabilities 8 — High Protect 2
TDA-02.14 Logging Syntax 8 — High Detect 2
TDA-03 Commercial Off-The-Shelf (COTS) Security Solutions 5 — Medium Protect 10
TDA-03.1 Supplier Diversity 3 — Low Protect 6
TDA-04 Documentation Requirements 8 — High Protect 57
TDA-04.1 Functional Properties 8 — High Protect 32
TDA-04.2 Software Bill of Materials (SBOM) 9 — Critical Identify 22
TDA-05 Developer Architecture & Design 8 — High Protect 42
TDA-05.1 Physical Diagnostic & Test Interfaces 5 — Medium Detect 7
TDA-05.2 Diagnostic & Test Interface Monitoring 3 — Low Detect 2
TDA-06 Secure Software Development Practices (SSDP) 10 — Critical Protect 99
TDA-06.1 Criticality Analysis 9 — Critical Protect 36
TDA-06.2 Threat Modeling 7 — High Identify 30
TDA-06.3 Software Assurance Maturity Model (SAMM) 9 — Critical Identify 24
TDA-06.4 Supporting Toolchain 6 — Medium Identify 6
TDA-06.5 Software Design Review 10 — Critical Detect 18
TDA-06.6 Software Design Root Cause Analysis 5 — Medium Protect 3
TDA-07 Secure Development Environments 9 — Critical Protect 38
TDA-08 Separation of Development, Testing and Operational Environments 10 — Critical Protect 50
TDA-08.1 Secure Migration Practices 8 — High Protect 10
TDA-09 Cybersecurity & Data Protection Testing Throughout Development 9 — Critical Protect 82
TDA-09.1 Continuous Monitoring Plan 9 — Critical Detect 27
TDA-09.2 Static Code Analysis 9 — Critical Detect 39
TDA-09.3 Dynamic Code Analysis 9 — Critical Detect 33
TDA-09.4 Malformed Input Testing 7 — High Detect 20
TDA-09.5 Application Penetration Testing 9 — Critical Detect 30
TDA-09.6 Secure Settings By Default 9 — Critical Protect 13
TDA-09.7 Manual Code Review 5 — Medium Detect 5
TDA-10 Use of Live Data 9 — Critical Protect 17
TDA-10.1 Test Data Integrity 8 — High Protect 3
TDA-11 Product Tampering and Counterfeiting (PTC) 9 — Critical Protect 35
TDA-11.1 Anti-Counterfeit Training 6 — Medium Protect 23
TDA-11.2 Component Disposal 0 — Low Protect 0
TDA-12 Customized Development of Critical Components 8 — High Protect 11
TDA-13 Developer Screening 9 — Critical Protect 19
TDA-14 Developer Configuration Management 9 — Critical Protect 41
TDA-14.1 Software / Firmware Integrity Verification 8 — High Protect 28
TDA-14.2 Hardware Integrity Verification 5 — Medium Protect 9
TDA-15 Developer Threat Analysis & Flaw Remediation 9 — Critical Protect 44
TDA-16 Developer-Provided Training 9 — Critical Protect 20
TDA-17 Unsupported Technology Assets, Applications and/or Services (TAAS) 10 — Critical Protect 45
TDA-17.1 Alternate Sources for Continued Support 8 — High Protect 23
TDA-18 Input Data Validation 9 — Critical Protect 41
TDA-19 Error Handling 9 — Critical Protect 26
TDA-20 Access to Program Source Code 9 — Critical Protect 22
TDA-20.1 Software Release Integrity Verification 6 — Medium Protect 3
TDA-20.2 Archiving Software Releases 8 — High Protect 1
TDA-20.3 Software Escrow 7 — High Protect 7
TDA-20.4 Approved Code 8 — High Protect 2
TDA-21 Product Conformity Governance 9 — Critical Protect 5
TDA-22 Technical Documentation Artifacts 7 — High Protect 6
TDA-22.1 Product-Specific Risk Assessment Artifacts 4 — Medium Protect 2

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage SCF Controls in SCF Connect

Streamline your compliance program with automated control tracking, evidence management, and framework mapping.

Get Started Free