CCI-002769

Obtain software and data employed during non-persistent system component and service refreshes are obtained from organization-defined trusted sources.

Implementation Guidance

Determine if the software and data employed during system component and service refreshes are obtained from [SI-14(01)_ODP; trusted sources to obtain software and data for system component and service refreshes are defined].

Validation Procedures

Examine: [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing non-persistence for system components; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel responsible for obtaining component and service refreshes from trusted sources; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Organizational processes for defining and obtaining component and service refreshes from trusted sources; automated mechanisms supporting and/or implementing component and service refreshes].

The controls below (if any) were marked by NIST as being related to CCI-002769.