CCI-003104

The organization defines the implementation information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed.

Implementation Guidance

The organization being inspected/assessed defines and documents the implementation information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed. DoD has determined the implementation information is not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented implementation information to ensure the organization being inspected/assessed defines the implementation information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed. DoD has determined the implementation information is not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation includes implementation information by the system developer, as it related to security controls to be employed.

The controls below (if any) were marked by NIST as being related to CCI-003104.