TDA-02: Minimum Viable Product (MVP) Security Requirements

TDA 9 — Critical Protect

Mechanisms exist to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.

Control Question: Does the organization design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats?

General (39)

Framework	Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source)	CC5.2 PI1.1-POF1 PI1.1-POF2 PI1.1-POF3
CIS CSC 8.1	16.4
COSO 2017	Principle 11
CSA IoT SCF 2	SDV-07
GovRAMP Moderate	SA-04
GovRAMP High	SA-04
IEC TR 60601-4-5 2021	4.2 4.6.2 4.6.3
ISO 27002 2022	8.25 8.29 8.30
ISO 27017 2015	14.2.9
ISO 42001 2023	A.6.2.2
NIST 800-53 R4	SA-4
NIST 800-53 R4 (low)	SA-4
NIST 800-53 R4 (moderate)	SA-4
NIST 800-53 R4 (high)	SA-4
NIST 800-53 R5 (source)	SA-4
NIST 800-53B R5 (privacy) (source)	SA-4
NIST 800-53B R5 (low) (source)	SA-4
NIST 800-53B R5 (moderate) (source)	SA-4
NIST 800-53B R5 (high) (source)	SA-4
NIST 800-82 R3 LOW OT Overlay	SA-4
NIST 800-82 R3 MODERATE OT Overlay	SA-4
NIST 800-82 R3 HIGH OT Overlay	SA-4
NIST 800-161 R1	SA-4
NIST 800-161 R1 C-SCRM Baseline	SA-4
NIST 800-161 R1 Level 1	SA-4
NIST 800-161 R1 Level 2	SA-4
NIST 800-161 R1 Level 3	SA-4
NIST 800-171 R2 (source)	NFO-SA-4
NIST 800-171 R3 (source)	03.16.01
NIST 800-218	PO.1 PO.1.1 PO.1.2 PW.1.2 PW.1.3 PW.2 PW.4.4 PW.5.1 PW.9.1 PW.9.2
OWASP Top 10 2021	A01:2021 A02:2021 A03:2021 A04:2021 A05:2021 A06:2021 A07:2021 A08:2021 A09:2021 A10:2021
SWIFT CSF 2023	2.8A 2.9 2.10
UL 2900-1 2017	4.1 5.1 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 12.1 12.2 12.3 12.4 12.5 12.6 12.7 12.8
UN R155	7.2.2.1(a) 7.2.2.1(b) 7.2.2.1(c) 7.2.2.2(a) 7.2.2.2(b) 7.2.2.2(c) 7.2.2.2(d) 7.2.2.2(e) 7.2.2.2(f) 7.2.2.2(g) 7.2.2.2(h) 7.2.2.3 7.2.2.4(a) 7.2.2.4(b) 7.2.2.5 7.3.4
UN ECE WP.29	7.2.2.1(a) 7.2.2.1(b) 7.2.2.1(c) 7.2.2.2(a) 7.2.2.2(b) 7.2.2.2(c) 7.2.2.2(d) 7.2.2.2(e) 7.2.2.2(f) 7.2.2.2(g) 7.2.2.2(h) 7.2.2.3 7.2.2.4(a) 7.2.2.4(b) 7.2.2.5 7.3.4
SCF CORE Mergers, Acquisitions & Divestitures (MA&D)	TDA-02
SCF CORE ESP Level 1 Foundational	TDA-02
SCF CORE ESP Level 2 Critical Infrastructure	TDA-02
SCF CORE ESP Level 3 Advanced Threats	TDA-02

US (22)

Framework	Mapping Values
US CERT RMM 1.2	EXD:SG3.SP4 RTSE:SG1.SP1 RTSE:SG1.SP2 RTSE:SG1.SP3 RTSE:SG1.SP4 RTSE:SG1.SP5
US CMS MARS-E 2.0	SA-4
US DHS CISA SSDAF	1.d 1.e
US DHS ZTCF	DEV-03
US EO 14028	4e(i)(D) 4e(i)(E)
US FedRAMP R4	SA-4
US FedRAMP R4 (low)	SA-4
US FedRAMP R4 (moderate)	SA-4
US FedRAMP R4 (high)	SA-4
US FedRAMP R4 (LI-SaaS)	SA-4
US FedRAMP R5 (source)	SA-4
US FedRAMP R5 (low) (source)	SA-4
US FedRAMP R5 (moderate) (source)	SA-4
US FedRAMP R5 (high) (source)	SA-4
US FedRAMP R5 (LI-SaaS) (source)	SA-4
US IRS 1075	SA-4
US NISPOM 2020	8-302 8-613
US - CA SB327	1798.91.04(a) 1798.91.04(a)(1) 1798.91.04(a)(2) 1798.91.04(a)(3) 1798.91.04(b) 1798.91.04(b)(1) 1798.91.04(b)(2)
US - CA CCPA 2025	7123(c)(14)
US - TX DIR Control Standards 2.0	SA-4
US - TX TX-RAMP Level 1	SA-4
US - TX TX-RAMP Level 2	SA-4

EMEA (5)

Framework	Mapping Values
EMEA EU Cyber Resiliency Act Annexes	Annex 1.1(1) Annex 1.1(3)(b) Annex 1.1(3)(c) Annex 1.1(3)(d) Annex 1.1(3)(f) Annex 1.1(3)(g) Annex 1.1(3)(i) Annex 6 Module A.3
EMEA EU EBA GL/2019/04	3.6.2(68)
EMEA Germany Banking Supervisory Requirements for IT (BAIT)	7.7
EMEA Germany C5 2020	DEV-02
EMEA Saudi Arabia CSCC-1 2019	2-13-1 2-13-2 2-13-3-1 2-13-3-2 2-13-3-3 2-13-3-4

APAC (3)

Framework	Mapping Values
APAC Japan ISMAP	14.2.9
APAC New Zealand HISF 2022	HHSP31 HML31
APAC Singapore MAS TRM 2021	5.3.3

Americas (1)

Framework	Mapping Values
Americas Canada ITSP-10-171	03.16.01

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.

Level 1 — Performed Informally

Technology Development & Acquisition (TDA) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

IT personnel use an informal process to govern technology development and acquisition.
Secure development practices loosely conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).
IT personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.
Project management is decentralized and generally lacks formal project management managers or broader oversight.

Level 2 — Planned & Tracked

Technology Development & Acquisition (TDA) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Development and acquisition management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
IT/cybersecurity personnel identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for technology development and acquisition management.
IT/cybersecurity personnel implement secure practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets, data and network(s).
Secure development practices mostly conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).
Procurement practices require third-party developers of systems, system components or services to follow secure engineering practices.
A Project Management Office (PMO), or project management function, enables the implementation of cybersecurity and data privacy-related resource planning controls across the System Development Lifecycle (SDLC) for all high-value projects.

Level 3 — Well Defined

Technology Development & Acquisition (TDA) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data for technology development and acquisition. o Ensures the Information Assurance Program (IAP) evaluates applicable cybersecurity and data protection controls as part of “business as usual” pre-production testing. o Operates the Cybersecurity Supply Chain Risk Management (C-SCRM) program to identify and mitigate supply chain-related risks and threats.

Secure development practices conform to industry-recognized standards for secure engineering (e.g., OWASP, NIST SP 800-218, NIST SP 800-160, etc.).
A procurement team, or similar function, ensures that third party development and/ or acquisitions meet, or exceed, the organization's business, cybersecurity and data privacy requirements to have secure and resilient systems, applications, services and processes.
A Software Assurance Maturity Model (SAMM) governs a secure development lifecycle for the development of systems, applications and services.
Administrative processes exist and technologies are configured to implement secure configuration settings by default to reduce the likelihood of software being deployed with weak security settings, putting the asset at a greater risk of compromise.
An IT Asset Management (ITAM) function, or similar function, categorizes devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data.
A formal Change Management (CM) program help to ensure that no unauthorized changes are made, all changes are documented, services are not disrupted and resources are used efficiently.
A Governance, Risk & Compliance (GRC) function, or similar function;
A Project Management Office (PMO), or project management function, enables IAP pre-production testing of cybersecurity and data protection controls as part of the organization's established project management processes.

Level 4 — Quantitatively Controlled

Technology Development & Acquisition (TDA) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
Both business and technical stakeholders are involved in reviewing and approving proposed changes.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to design, develop and produce Technology Assets, Applications and/or Services (TAAS) in such a way that risk-based technical and functional specifications ensure Minimum Viable Product (MVP) criteria establish an appropriate level of security and resiliency based on applicable risks and threats.

Assessment Objectives

TDA-02_A01 cybersecurity / data privacy functional requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.
TDA-02_A02 strength of mechanism requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.
TDA-02_A03 cybersecurity / data privacy assurance requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.
TDA-02_A04 controls needed to satisfy the cybersecurity / data requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.
TDA-02_A05 cybersecurity / data privacy documentation requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.
TDA-02_A06 requirements for protecting cybersecurity / data privacy documentation, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.
TDA-02_A07 the description of the system development environment and environment in which the system is intended to operate, requirements and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.
TDA-02_A08 the allocation of responsibility or identification of parties responsible for cybersecurity / data privacy requirements, descriptions and criteria are included explicitly or by reference using in the acquisition contract for the system, system component or system service.
TDA-02_A09 the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions and criteria are included explicitly or by reference using organization-defined criteria.
TDA-02_A10 acceptance criteria requirements and descriptions are included explicitly or by reference using in the acquisition contract for the system, system component or system service.

Evidence Requirements

E-TDA-06 Multi Patient Harm View (MPHV): Documented evidence of a description of a Multi Patient Harm View (MPHV) that explains how the device / system defends against and/or responds to attacks with the potential to harm multiple patients. [note MPHV is specific to medical device manufacturers]
Technology Design & Acquisition

Technology Recommendations

Micro/Small

Defined business processes
Product / project management
Defined technical requirements
Defined business requirements

Small

Defined business processes
Product / project management
Defined technical requirements
Defined business requirements

Medium

Defined business processes
Product / project management
Defined technical requirements
Defined business requirements
System Development Lifecycle (SDLC) governance / oversight

Large

Defined business processes
Product / project management
Defined technical requirements
Defined business requirements
System Development Lifecycle (SDLC) governance / oversight

Enterprise

Defined business processes
Product / project management
Defined technical requirements
Defined business requirements
System Development Lifecycle (SDLC) governance / oversight