CCI-002769

The organization ensures that software and data employed during non-persistent information system component and service refreshes are obtained from organization-defined trusted sources.

Implementation Guidance

The organization being inspected/assessed documents and implements a process to obtain software and data used during non-persistent information system component and service refreshes from trusted sources defined in SI-14 (1), CCI 2768.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed ensures that software and data used during non-persistent information system component and service refreshes from trusted sources defined in SI-14 (1), CCI 2768.

Compelling Evidence

1.) Signed and dated System security plan defines a process to obtain software and data used during non-persistent information system component and service refreshes from trusted sources defined in SI-14 (1), CCI 2768. 2.) Documentation that software and data used during non-persistent information system component and service refreshes are only from the defined sources in SI-14 (1), CCI 2768.

The controls below (if any) were marked by NIST as being related to CCI-002769.