CCI-003110

Defines the security configurations required to be implemented when the developer delivers the system, system component, or system service.

Implementation Guidance

Determine if the developer of the system, system component, or system service is required to deliver the system, component, or service with [SA-04(05)_ODP; security configurations for the system, component, or service are defined] implemented.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for the system, system component, or system service; security configurations to be implemented by the developer of the system, system component, or system service; service level agreements; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with the responsibility to determine system security requirements; system developers or service provider; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Mechanisms used to verify that the configuration of the system, component, or service is delivered as specified].

The controls below (if any) were marked by NIST as being related to CCI-003110.