CCI-003109

The organization requires the developer of the information system, system component, or information system service to deliver the system, component, or service with organization-defined security configurations implemented.

Implementation Guidance

The organization being inspected/assessed documents within contracts/agreements, requirements that the developer of the information system, system component, or information system service to deliver the system, component, or service with security configurations identified by the applicable requirements from DoDI 8510.01 and STIGs/SRGs. DoD has defined the security configurations as security configurations identified by the applicable requirements from DoDI 8510.01 and STIGs/SRGs.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires he developer of the information system, system component, or information system service to deliver the system, component, or service with security configurations identified by the applicable requirements from DoDI 8510.01 and STIGs/SRGs. DoD has defined the security configurations as security configurations identified by the applicable requirements from DoDI 8510.01 and STIGs/SRGs.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation that includes implementation information by the system developer, as it relates to security controls to be employed.

The controls below (if any) were marked by NIST as being related to CCI-003109.