📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict

FedRAMP Controls / SA

SA-11(2) Threat Modeling and Vulnerability Analyses

Family SA
Baselines moderate
Mapped KSIs 0

Control statement

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:
    (a) Uses the following contextual information: {{ insert: param, sa-11.02_odp.01 }};
    (b) Employs the following tools and methods: {{ insert: param, sa-11.02_odp.02 }};
    (c) Conducts the modeling and analyses at the following level of rigor: {{ insert: param, sa-11.2_prm_3 }} ; and
    (d) Produces evidence that meets the following acceptance criteria: {{ insert: param, sa-11.2_prm_4 }}.

Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is preserved in the catalog database.

No 20x Key Security Indicators map to this control in the current catalog version.