CCI-003172

The organization requires the developer of the information system, system component, or information system service to implement a security assessment plan.

Implementation Guidance

The organization being inspected/assessed requires that the developer implement the security assessment plan developed in SA-11, CCI 003171.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the contracts/agreements to ensure the organization being inspected/assessed requires that the developer of the information system, system component, or information system service implement a security assessment plan.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation must require implementation of developer-created Security Assessment Plan.

The controls below (if any) were marked by NIST as being related to CCI-003172.