CCI-003103

The organization defines the design information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed.

Implementation Guidance

The organization being inspected/assessed defines and documents the design information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed. DoD has determined the design information is not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented design information to ensure the organization being inspected/assessed defines the design information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed. DoD has determined the design information is not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation includes design information by the system developer, as it related to security controls to be employed.

The controls below (if any) were marked by NIST as being related to CCI-003103.