CCI-003111

Requires the developer of the system, system component, or system service to use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

Implementation Guidance

Determine if the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for the system, system component, or system service; security configurations to be implemented by the developer of the system, system component, or system service; service level agreements; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with the responsibility to determine system security requirements; system developers or service provider; organizational personnel with information security responsibilities]. Test: [SELECT FROM: Mechanisms used to verify that the configuration of the system, component, or service is delivered as specified].

The controls below (if any) were marked by NIST as being related to CCI-003111.