CCI-003102
CCI-003102 Definition
| Status | |
| Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
Determine if the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using [SA-04(02)_ODP[01]; one or more of the following PARAMETER VALUES is/are selected: {security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [SA-04(02)_ODP[02]; design and implementation information is defined (if selected)]}] at [SA-04(02)_ODP[03]; level of detail is defined].
Validation Procedures
Examine: [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for the system, system components, or system services; design and implementation information for controls employed in the system, system component, or system service; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with the responsibility to determine system security requirements; system developers or service provider; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Organizational processes for determining the level of detail for system design and controls; organizational processes for developing acquisition contracts; mechanisms supporting and/or implementing the development of system design details].