CCI-003171

The organization requires the developer of the information system, system component, or information system service to create a security assessment plan.

Implementation Guidance

The organization being inspected/assessed requires that the developer create and document a security assessment plan that includes: 1. The types of analyses, testing, evaluation, and reviews of software and firmware components; 2. The degree of rigor to be applied; and 3. The types of artifacts produced during those processes.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service create a security assessment plan.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation must contain developer-created Security Assessment Plan.

The controls below (if any) were marked by NIST as being related to CCI-003171.