CCI-003107

The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes.

Implementation Guidance

The organization being inspected/assessed defines and documents within contracts/agreements, a requirement for the developer to demonstrate the use of a system development life cycle that includes the state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes defined in SA-4 (3), CCI 3108.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes the state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes defined in SA-4 (3), CCI 3108.

Compelling Evidence

1.) System development life cycle (SDLC) includes organization-defined state-of-the-practice system/security engineering methods, software development methods , testing/evaluation/validation techniques, and quality control processes.

The controls below (if any) were marked by NIST as being related to CCI-003107.