CCI-003101

The organization requires the developer of the information system, system component, or information system service to provide design information for the security controls to be employed that includes security-relevant external system interfaces, high-level design, low-level design, source code, hardware schematics, and/or organization-defined design information at an organization-defined level of detail.

Implementation Guidance

The organization being inspected/assessed defines and documents in contracts/agreements, the design information for the security controls that the developer will employ in the information system to include security-relevant external system interfaces, high-level design, low-level design, source code, hardware schematics and/or design/information defined in SA-4 (2), CCI 3103 at the level of detail defined in SA-4 (2), CCI 3105.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires the developer of the information system, system component, or information system service to provide design information for the security controls to be employed that includes security-relevant external system interfaces, high-level design, low-level design, source code and/or hardware schematics and/or design/information defined in SA-4 (2), CCI 3103 at the level of detail defined in SA-4 (2), CCI 3105.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation includes design information by the system developer. 3.) Security control documentation includes security-relevant external system interfaces, high-level design, low-level design, source code, hardware schematics and organization defined design/information level of detail.

The controls below (if any) were marked by NIST as being related to CCI-003101.