Navigate

CCI-003174

CCI-003174 Definition

The organization defines the depth and coverage at which to perform unit, integration, system, and/or regression testing/evaluation.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed defines and documents the depth and coverage to perform unit, integration, system, and/or regression testing/evaluation. Examples of approaches or tool types that could be required are: 1. Approaches such as static analyses, dynamic analyses, binary analysis, or a hybrid of the three approaches; and 2. Tools such as web-based application scanners, static analysis tools, binary analyzers. DoD has determined the depth and coverage are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented depth and coverage to ensure the organization being inspected/assessed defines the depth and coverage to perform unit, integration, system, and/or regression testing/evaluation. DoD has determined the depth and coverage are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation must define organization depth and coverage of unit, integration, system, and/or regression testing for developer to perform.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003174.

Control	Description
SA-11	The organization requires the developer of the information system, system component, or information system service to: SA-11a.: Create and implement a security assessment plan; SA-11b.: Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; SA-11c.: Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; SA-11d.: Implement a verifiable flaw remediation process; and SA-11e.: Correct flaws identified during security testing/evaluation.

Control

Description

SA-11

The organization requires the developer of the information system, system component, or information system service to:

SA-11a.: Create and implement a security assessment plan;

SA-11b.: Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];

SA-11c.: Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;

SA-11d.: Implement a verifiable flaw remediation process; and

SA-11e.: Correct flaws identified during security testing/evaluation.