CCI-003114

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

Implementation Guidance

The organization being inspected/assessed documents within contracts/agreements, the requirement that the developer of the information system, system component, or information system service identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use. Ports identified shall be assessed and planned for in light of DISA's PPSM requirements.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation identifies functions, ports, protocols and services intended for use.

The controls below (if any) were marked by NIST as being related to CCI-003114.