📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict

FedRAMP Controls / SA

SA-11(1) Static Code Analysis

Family SA
Baselines moderate
Mapped KSIs 0

Control statement

Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.
        Requirement: The service provider must document its methodology for reviewing newly developed code for the Service in its Continuous Monitoring Plan.

If Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))

Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is preserved in the catalog database.

No 20x Key Security Indicators map to this control in the current catalog version.