Navigate

CCI-003163

CCI-003163 Definition

Require the developer of the system, system component, or system service to report findings of security flaws and flaw resolution within the system, component, or service to organization-defined personnel.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - the developer of the system, system component, or system service is required to track security flaws within the system, component, or service. - the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service. - the developer of the system, system component, or system service is required to report findings to [SA-10_ODP[03]; personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is/are defined].

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; procedures addressing system developer configuration management; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer configuration management plan; security flaw and flaw resolution tracking records; system change authorization records; change control records; configuration management records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with configuration management responsibilities; system developers]. Test: [SELECT FROM: Organizational processes for monitoring developer configuration management; mechanisms supporting and/or implementing the monitoring of developer configuration management].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003163.

Control	Description
SA-10	Require the developer of the system, system component, or system service to: a: Perform configuration management during system, component, or service [one or more of "design"/"development"/"implementation"/"operation"/"disposal"]; b: Document, manage, and control the integrity of changes to [configuration items under configuration management are defined;]; c: Implement only organization-approved changes to the system, component, or service; d: Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and e: Track security flaws and flaw resolution within the system, component, or service and report findings to [personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is/are defined;].

Control

Description

SA-10

Require the developer of the system, system component, or system service to:

a: Perform configuration management during system, component, or service [one or more of "design"/"development"/"implementation"/"operation"/"disposal"];

b: Document, manage, and control the integrity of changes to [configuration items under configuration management are defined;];

c: Implement only organization-approved changes to the system, component, or service;

d: Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and

e: Track security flaws and flaw resolution within the system, component, or service and report findings to [personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is/are defined;].