The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:
SA-15 (4)(a): Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
SA-15 (4)(b): Employs [Assignment: organization-defined tools and methods]; and
SA-15 (4)(c): Produces evidence that meets [Assignment: organization-defined acceptance criteria].